Lecture Notes in 
Computer Science 



1592 



Jacques Stern (Ed.) 



Advances in Cryptology - 
EUROCRYPT ’99 



International Conference on the Theory 
and Application of Cryptographic Techniques 
Prague, C/ech Republic, May 1999 
Proceedings 





/*4*i 



Springer 




Lecture Notes in Computer Science 1592 

Edited by G. Goos, J. Hartmanis and J. van Leeuwen 




springer 

Berlin 

Heidelberg 

New York 

Barcelona 

Hong Kong 

London 

Milan 

Paris 

Singapore 

Tokyo 




Jacques Stern (Ed.) 



Advances in Cryptology 
EUROCRYPT ’99 



International Conference on the Theory 
and Application of Cryptographic Techniques 
Prague, Czech Republic, May 2-6, 1999 
Proceedings 




Springer 




Series Editors 



Gerhard Goos, Karlsruhe University, Germany 
Juris Hartmanis, Cornell University, NY, USA 
Jan van Leeuwen, Utrecht University, The Netherlands 



Volume Editor 

Jacques Stem 

Ecole Normale Superieure 

45, me d’Ulm, F-75230 Paris 05, France 

E-mail: Jacques.Stern@ens.fr 



Cataloging-in-Publication data applied for 
Die Deutsche Bibliothek - CIP-Einheitsaufnahme 

Advances in cryptology : proceedings / EUROCRYPT ’99, International Conference 
on the Theory and Application of Cryptographic Techniques, Prague, Czech 
Republic, May 2-6, 1999. Jacques Stem (ed.). - Berlin ; Heidelberg ; New 
York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : 
Springer, 1999 

(Lecture notes in computer science ; Vol. 1592) 

ISBN 3-540-65889-0 



CR Subject Classification (1998): E.3, G.2.1, D.4.6, K.6.5, F.2.1-2, C.2, J.l 
ISSN 0302-9743 

ISBN 3-540-65889-0 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
liable for prosecution under the German Copyright Law. 

(c) Springer-Verlag Berlin Heidelberg 1999 
Printed in Germany 

Typesetting: Camera-ready by author 

SPIN 10704664 06/3142 - 5 4 3 2 1 0 Printed on acid-free paper 




Preface 



EUROCRYPT ’99, the seventeenth annual Eurocrypt Conference, was spon- 
sored by the International Association for Cryptologic Research (lACR) , in coop- 
eration with the Group of Cryptology within the Union of Czech Mathematicians 
and Physicists. The General Ghair, Jaroslav Hruby, was responsible for the over- 
all organization of the conference in the beautiful city of Prague. Let me mention 
that it was a pleasure to work together: although we were in different locations, 
we managed to stay in close contact and maintain a smooth organization of the 
conference. 

The Program Gommittee, consisting of 21 members, considered 120 papers 
and selected 32 for presentation. In addition, Ross Anderson kindly agreed to 
chair the traditional rump session for informal short presentations of new results. 
These proceedings include the revised versions of the 32 papers accepted by the 
Program Gommittee. These papers were selected on the basis of originality, 
quality, and relevance to cryptography. As a result, they should give a proper 
picture of how the field is evolving. Revisions were not checked and the authors 
bear full responsibility for the contents of their papers. 

The selection of papers was a difficult and challenging task. Each submission 
was refereed by at least three reviewers and most had four reports or more. I 
wish to thank the program committee members, who did an excellent job. In 
addition, I gratefully acknowledge the help of a large number of colleagues who 
reviewed submissions in their areas of expertise. They are: Michel Abdalla, Josh 
Benaloh, Gharles Bennett, Simon Blackburn, Matt Blaze, Ghristian Gachin, Jan 
Gamenisch, Ran Ganetti, Benny Ghor, Galdi Glemente, Jean-Sebastien Goron, 
Paolo D’Arco, Anand Desai, Uri Feige, Marc Fischlin, Roger Fischlin, Matt 
Franklin, Steven Galbraith, Rosario Gennaro, Pierre Girard, Dieter Gollmann, 
Shai Halevi, Helena Handschuh, Yuval Ishai, Markus Jakobsson, Mike Just, 
Ted Krovetz, Kaoru Kurosawa, Eyal Kushilevitz, Keith Martin, Barbara Ma- 
succi, Johannes Merkle, Daniele Micciancio, Victor S. Miller, Fauzan Mirza, 
Serge Mister, Peter L. Montgomery, Tal Mor, David M’Rai'hi, Luke O’Gonnor, 
Andrew Odlyzko, Wakaha Ogata, Koji Okada, Pascal Paillier, Pino Persiano, 
David Pointcheval, Bart Preneel, Tal Rabin, Omer Reingold, Phil Rogaway, Lu- 
dovic Rousseau, Berry Schoenmakers, Peter Shor, Jean-Pierre Seifert, Othmar 
Staffelbach, Ugo Vaccaro, Serge Vaudenay, Ruizhong Wei, Mike Wiener, Rebecca 
Wright, Xian-Mo Zhang, and Robert Zuccherato. I apologize for any inadvertent 
omission. 

I also wish to thank my PhD students Phong Nguyen, Thomas Pornin, and 
Guillaume Poupard, who helped me a great deal at various steps of the whole 
process. Their computer skills and the time and effort they invested were a 
crucial ingredient of my ability to run the program committee. Thomas ran the 
electronic submission phase and was able to print all postscript files, including 
those produced by non-standard word processors. Guillaume opened a private 
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FTP server and Web site for PC members, and Phong did the editing work, 
both in paper and in electronic form. I hope I did not distract them too much 
from their research, but they were kind enough to tell me they had learnt a lot. 
Thanks also to Joelle Isnard and Nadine Riou, who organized the PC meeting 
in Paris. 

Following the example of CRYPTO ’98, EUROCRYPT ’99 was the first 
of the Eurocrypt series with electronic submissions. The electronic submission 
option was a clear choice for almost all authors, with only 5 % of the papers sub- 
mitted by regular mail. I believe that the time has come to make e-submission 
mandatory, but it will be the choice of future Crypto and Eurocrypt PC chairs. 
I wish to thank Joe Kilian, who forwarded us the electronic submission software 
used for CRYPTO ’98 and helped us run it. This software was originally de- 
veloped by ACM’s SIGACT group and I thank the ACM for allowing us to use 
their system. 

Finally, I wish to thank the all authors who submitted papers for making this 
conference possible by creating the scientific material, and especially the authors 
of accepted papers. I would also like to thank the publisher, Springer- Verlag, for 
working within a tight schedule in order to produce these proceedings in due 
time. 
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Jacques Stern 
Program Chair 
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Cryptanalysis of RSA with 
Private Key d Less than 



Dan Boneh* and Glenn Durfee** 

Computer Science Department, Stanford University, Stanford, CA 94305-9045 
{dabOjgdurf }@cs . stanford.edu 



Abstract. We show that if the private exponent d used in the RSA 
public-key cryptosystem is less than then the system is insecure. 

This is the first improvement over an old result of Wiener showing that 
when d < the RSA system is insecure. We hope our approach can 

be used to eventually improve the bound to d < 



1 Introduction 

To provide fast RSA signature generation one is tempted to use a small private 
exponent d. Unfortunately, Wiener uni showed over ten years ago that if one 
uses d < then the RSA system can be broken. Since then there have been 

no improvements to this bound. Verheul and Tilborg showed that as long 
as d < it is possible to expose d in less time than an exhaustive search; 
however, their algorithm requires exponential time as soon as d > 

In this paper we give the first substantial improvement to Wiener’s result. 
We show that as long as d < one can efficiently break the system. We 

hope our approach will eventually lead to what we believe is the correct bound, 
namely d < Our results are based on the seminal work of Coppersmith j5]. 

Wiener describes a number of clever techniques for avoiding his attack while 
still providing fast RSA signature generation. One such suggestion is to use a 
large value of e. Indeed, Wiener’s attack provides no information as soon as e > 
N^-^. In contrast, our approach is effective as long as e < Consequently, 

larger values of e must be used to defeat the attack. We discuss this variant in 
Section 0 



2 Overview of Our Approach 

Recall that an RSA public key is a pair {N, e) where N = pq\s the product of two 
n-bit primes. For simplicity, we assume gcd(p— 1, g — 1) = 2. The corresponding 
private key is a pair (iV, d) where e • c? = 1 mod where = N — p — q+1. 



* Supported by DARPA. 

** Supported by Certicom and an NSF Graduate Research Fellowship. 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 1-El 1999- 
© Springer- Verlag Berlin Heidelberg 1999 



2 



Dan Boneh and Glenn Durfee 



Note that both e and d are less than (j>{N). It follows that there exists an integer 
k such that 



ed+ k 







( 1 ) 



Writing s = — and A = we know: 

/c(A + s) = l (mode). 



Throughout the paper we write e = 7V“ for some a. Typically, e is of the 
same order of magnitude as N (e.g. e > A^/10) and therefore a is very close 
to 1. As we shall see, when a is much smaller than 1 our results become even 
stronger. 

Suppose the private exponent d satisfies d < . Wiener’s results show that 

when S < 0.25 the value of d can be efficiently found given e and N. Our goal 
is to show that the same holds for larger values of S. By equation m we know 
that 

\k\<^^<^de/N<3e^+^. 

Similarly, we know that 

|s| < 2N°-^ = 

To summarize, taking a ~ 1 (which is the common case) and ignoring con- 
stants, we end up with the following problem: find integers k and s satisfying 

k{A + s) = 1 (mod e) where |s| < and \k\ < . (2) 

The problem can be viewed as follows: given an integer A, find an element “close” 
to A whose inverse modulo e is “small” . We refer to this is the small inverse 
problem. Clearly, if for a given value of <5 < 0.5 one can efficiently list all the 
solutions to the small inverse problem, then RSA with private exponent smaller 
than is insecure (simply observe that given s modulo e one can factor N 
immediately, since e > s). Currently we can solve the small inverse problem 
whenever (5 < 1 — ^y/2 0.292. 

Remark 1. A simple heuristic argument shows that for any e > 0, if fc is bounded 
by (i.e. 5 < 0.5) then the small inverse problem (equation Q) is very 

likely to have a unique solution. The unique solution enables one to break RSA. 
Therefore, the problem encodes enough information to prove that RSA with 
d < is insecure. For d > A^° ® we have that k > A^° ® and the problem will 
no longer have a unique solution. Therefore, we believe this approach can be 
used to show that d < is insecure, but gives no results for d > 

The next section gives a brief introduction to lattices over Z". Our solution to 
the small inverse problem when a is close to 1 is given in Section 4. In Section 5 
we give a solution for arbitrary a. Section 6 describes experimental results with 
the algorithm. 
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3 Preliminaries 

Let Ml, . . . ,Uw G be linearly independent vectors with w < n. A lattice L 
spanned by (mi, . . . , u ^) is the set of all integer linear combinations of mi, . . . ,Uw 
We say that the lattice is full rank if m; = n. We state a few basic results about 
lattices and refer to p| for an introduction. 

Let L be a lattice spanned by (mi, ... , m^j). We denote by mJ, . . . , m^ the vec- 
tors obtained by applying the Gram-Schmidt process to the vectors mi, . . . ,Uw 
We define the determinant of the lattice L as 

W 

det(L) :=niKII- 

i=l 

If L is a full rank lattice then the determinant of L is equal to the determinant 
of the w X w matrix whose rows are the basis vectors mi, . . . , Uw 

Fact 1 (LLL). Let L he a lattice spanned by (mi, . . . ,Uw). Then the LLL algo- 
rithm, given (mi, . . . , u ^ u ), will produce a new basis (6i, . . . , 6m) of L satisfying: 

1. ||6*||2 < 2\\h*^f\\^ for alll<i <w. 

2. For all i, if bi = b* Tjt'j then \yij\ < ^ for all j. 

We note that an LLL-reduced basis satisfies some stronger properties, but 
those are not relevant to our discussion. 

Fact 2. Let L be a lattice and 6i, . . . 6^ be an LLL-reduced basis of L. Then 

||6i|| < 2“’/2det(L)i/’". 

Proof. Since 6i = 6* the bound immediately follows from: 

det(L) = ni|6*ll > ||6i|r2-^/^. 



□ 

In the spirit of a recent result due to Jutla ^ we provide a bound on the 
norm of other vectors in an LLL reduced basis. For a basis (mi, . . . ,Mm) of a 
lattice L, define 



Wmin := mind I M, I 



Fact 3. Let L be a lattice spanned by (mi,... ,Mm) and let (6i,...6m) be the 
result of applying LLL to the given basis. Suppose m* > 1. Then 

II62II < 2^ det(L)^^ 
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Proof. It is well known that u* is a lower bound on the length of the shortest 
vector in L. Consequently, ||6i|| > We obtain 

det(L) = n \m > llfetll • ■ ||6*|r-i2-(-i)^/^. 

i 

Hence, 

det(L) 



ll^>2ll < 2^ 



min J 



<2 2 det(L)“-i, 



which leads to 



||& 2 f < ||&;f + ^ll6if < 2’"-idet(L)— +2“-"det(L)^ <2’"det(L) — . 



Note that det(L) > 1 since > 1. The bound now follows. 



□ 



Similar bounds can be derived for other biS. For our purposes the bound on 
&2 is sufficient. 



4 Solving the Small Inverse Problem 

In this section we focus on the case when e is of the same order of magnitude 
as iV, i.e. if e = iV“ then a is close to 1. To simplify the exposition, in this 
section we simply take a = 1. In the next section we give the general solution 
for arbitrary a. When a = 1 the small inverse problem is the following: given a 
polynomial f{x,y) = x{A + y) — 1, find (xo,yo) satisfying 

f(xo,yo) = 0 (mod e) where \xq\ < and |yo| < 

We show that the problem can be solved whenever i5 < 1 — \^/2 « 0.292. We 
begin by giving an algorithm that works when d < ^ — « 0.285. Our 

solution is based on a powerful technique due to Coppersmith |2|, as presented 
by Howgrave-Graham ^ . We note that for this particular polynomial our results 
beat the generic bound given by Coppersmith. For simplicity, let X = and 
Y = e°-5. 

Given a polynomial h{x,y) = atjx'^y^ , we define \\h{x,y)\\'^ := 

The main tool we use is stated in the following fact. 

Fact 4 (HG98). Let h{x, y) G [x, y] be a polynomial whieh is a sum of at most 
w monomials. Suppose that 

a. h{xo, yo) = 0 mod e™ for some positive integer m where fyo| < X and |yo| < 
Y , and 

b. \\h{xX,yY)\\ < e"^/^/w. 

Then h{xo,yo) = 0 holds over the integers. 
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< 



Proof. Observe that 

\h{xo,yo)\ = \j2<^idxWo = (y) 

Vw\\h{xX,yY)\\ < e^, 

but since h{xo,yo) = 0 modulo e™ we have that h{xQ,yo) = 0. 



□ 



Fact El suggests that we should be looking for a polynomial with small norm 
that has (xo,yo) as a root modulo e™. To do so, given a positive integer m we 
define the polynomials 

9 i,k{x, y) := x^f^{x, y)e'^~^ and hj^k{x, y) := y^f’‘(x, y)e'^~^ ■ 

We refer to the gi^k polynomials as x-shifts and the hj^k polynomials as j/-shifts. 
Observe that (xo,yo) is a root of all these polynomials modulo e™ for k = 
0, . . . ,m. We are interested in finding a low-norm integer linear combination 
of the polynomials gi^k(xX,yY) and hj^k{xX,yY). To do so we form a lattice 
spanned by the corresponding coefficient vectors. Our goal is to build a lattice 
that has sufficiently small vectors and then use LLL to find them. By Fact Owe 
must show that the lattice spanned by the polynomials has a sufficiently small 
determinant. 

Given an integer to, we build a lattice spanned by the coefficient vectors 
of the polynomials for k = Q, ... ,m. For each k we use gi^k(xX,yY) for i = 
0, . . . ,m — k and use hj^k{xX, yY) for j = 0, . . . , t for some parameter t that 
will be determined later. For example, when m = 5 and t = 1 the lattice is 
spanned by the rows of the matrix in Figure 0 Since the lattice is spanned 
by a lower triangular matrix, its determinant is only affected by entries on the 
diagonal, which we give explicitly. Each “block” of rows corresponds to a certain 
power of X. The last block is the result of the y-shifts. In the example in Figure Q 
t = 1, so only linear shifts of y are given. As we shall see, the y-shifts are the 
main reason for our improved results. 

We now turn to calculating the determinant of the above lattice. A routine 
calculation shows that the determinant of the submatrix corresponding to all x 
shifts (i.e. ignoring the y-shifts by taking t = 0) is 

_ ^m(m+l)(m+2) /3 , j^m(Tn+l)(m+2)/3 , ym(m-|-l)(m.-|-2)/6 

For example, when to = 3 the determinant of the submatrix excluding the 
bottom block is X^^Y^^ . Plugging in A = and Y = we obtain 

deta; = g™("*+l)("‘+2)(5+45)/12 _ 

It is interesting to note that the dimension of the submatrix is w = {m+ I)(to-|- 
2)/2, and so the wth root of the determinant is , For us to be 
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Fig. 1. The matrix spanned by gi^k and hj^k for k = 0..3, i = 0..3 — k, and 
j = 0, 1. The symbols denote non-zero entries whose value we do not care 
about. 



able to use Fact^ we must have < e™, implying (5 -I- 4i5) < 6. We obtain 
<5 < 0.25. This is exactly Wiener’s result. Consequently, the lattice formed by 
taking all a;-shifts cannot be used to improve on Wiener’s result. 

To improve on Wiener’s result we include the y-shifts into the calculation. 
For a given value of m and t, the product of the elements on the diagonal of the 
submatrix corresponding to the y-shifts is: 

_ gtm(m-|-l)/2 ^ ^ y t(m-|-l)(m-|-t-|-l)/2 

Plugging in the values of X and Y, we obtain: 

_ ^tm(m+l)(l+S)/2+t(m+l)(m+t+l)/4 _ ^ 

The determinant of the entire matrix is det(L) = det^, • dety and its dimension 
is w = {m + l)(m -I- 2)/2 -|- t{m + 1). 

We intend to apply Fact 0 to the shortest vectors in the LLL-reduced basis of 
L. To do so, we must ensure that the norm of bi is less than e"*/ ^/w. Combining 
this with Fact El we must solve for the largest value of S satisfying 



det(L) < 

where 7 = Since the dimension w is only a function of 5 (but not 

of the public exponent e), 7 is a fixed constant, negligible compared to e"**". 
Manipulating the expressions for the determinant and the dimension to solve for 
6 requires tedious arithmetic. We provide the exact solution in the full version of 
this paper. Here, we carry out the computation ignoring low order terms. That 
is, we write 



m 



w = 



tm + o{m^), 



det(L) = 
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To satisfy det(L) < e™™ we must have 



5 + 4(5 
12 



3 + 2(5 o mt^ 1 o 9 

<-nrr + tm^. 

4 2 



-tm 



This leads to 



TO^(-1 + 45) - 3tm(l - 25) + 3t^ < 0 



For every m the left hand side is minimized at t ^ Plugging this value 

in leads to: 



-1 + 45- ^(1-25)2 + ^(1-25)2 



< 0 , 



implying —7 + 285 — 125^ < 0. Hence, 

^ ^ 0.285. 

6 3 

Hence, for large enough m, whenever d < for any fixed e > 0 we can 

find a bivariate polynomial 51 G Z [a;, y] such that g\ {xq, yo) = 0 over the integers. 
Unfortunately, this is not enough. To obtain another relation, we use Fact 0 to 
bound the norm of 62- Observe that since the original basis for L is a triangular 
matrix, u* is simply the smallest element on the diagonal. This turns out to 
be the element in the last row of the x-shifts, namely, which is 

certainly greater than 1. Hence, Fact 0applies. Combining Fact0and Fact0we 
see that 62 will yield an additional polynomial g 2 satisfying 52(2:07 J/o) = 0 if 

det(L) < 

where j' = (w2’^)~^ . For large enough to, this inequality is guaranteed to hold, 
since the modifications only effect low order terms. Hence, we obtain another 
polynomial 52 G ^[2:,?/] linearly independent of 51 such that 52(2:0,50) = 0 over 
the integers. We can now attempt to solve for xg and yo by computing the 
resultant h(x) = ReSy(gi, g 2 ). Then xg must be a root of h(x). By trying all 
roots xg of h(x) we find yg using gi{xg,y). 

Although the polynomials 51,52 are linearly independent, they may not be 
algebraically independent; they might have a common factor. Indeed, we can- 
not guarantee that the resultant h(x) is not identically zero. Consequently, we 
cannot claim our result as a theorem. At the moment it is a heuristic. Our ex- 
periments show it is a very good heuristic, as discussed in Section El The reason 
the algorithm works so well is that in our lattice, short vectors produced by LLL 
appear to behave as independent vectors. 

Remark 2. The reader may be wondering why we construct the lattice L using 
a:-shifts and 5-shifts of /, but do not explicitly use mixed shifts of the form 
a:*5^/^. The reason is that all mixed shifts of / over the monomials used in L 
are already included in the lattice. That is, any polynomial x'‘y^ can be 
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expressed as an integer linear combination of x-shifts and y-shifts. To see this, 
observe that for any j, we have 

i u j—i i 

= E E bu,vx'^-^r + E E 

n=l 

for some integer constants and c„_„. Note that when j < i the second 
summation is vacuous and hence zero. It now follows that 



x-yOfk^rn-k = Y,Y. + E E 

u—0 v—0 u—1 v—0 

i u j — 'f-i 

= EE ^u,v^ ‘ 9u-v,v-\-k EE 

u—0 v—0 u—1 v—0 

Consequently, is already included in the lattice. 



•v+k ^m—v — k 



4.1 Improved Determinant Bounds 

The results of the last section show that the small inverse problem can be solved 
when 6 < 0.285. The bound is derived from the determinant of the lattice L. It 
turns out that the lattice L contains a sublattice with a smaller determinant. 
Working in this sublattice leads to improved results. The idea is to remove 
some of the rows that enlarge the determinant. We throw away the y-shifts 
corresponding to low powers of /. Namely, for all r and * > (1 — 2(5)r, the 
polynomials y*/’' are not included in the lattice. Since these “damaging” y- 
shifts are taken out, more y-shifts can be included. More precisely, the largest 
y-shift can now be taken to be t = m(l — 25) as opposed to t = used in 

the previous section. 

The lattice constructed using these ideas is no longer full rank. In particular, 
the basis vectors no longer form a triangular matrix. As a result, the determinant 
must be bounded by other means. Nevertheless, an improvement on the bound 
on the determinant can be established, leading to the result that the small inverse 
problem can be solved for 5 < 1 — \\/2 « 0.292. We provide the details in the 
full version of this paper. 



5 Cryptanalysis of Arbitrary e 

In his paper, Wiener suggests using large values of e when the exponent d is 
small. This can be done by adding multiples of ^(iV) to e before making it 
known as the public key. When e > Wiener’s attack will fail even when d 

is small. We show that our attack applies even when larger values of e are used. 
As described in Section El we solve the small inverse problem: 

k{A + s) = 1 (mod e) where \k\ < and |s| < 2e^/^“, 
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0.292 



for arbitrary values of a. We build the exact same lattice used in Section El 
Working through the calculations one sees that the determinant of the lattice in 
question is 



det^(L) = e^(2a+5-|)+o(mb^ 
det,(L) = 



The dimension is as before. Therefore, to apply Fact ^ we must have 






1 1 
r ^ 



mP 2 
< — + tm , 



which leads to 



m^{2a + 45 - 3) - 3tm(l - 25) + < 0. 

As before, the left hand side is minimized at = im(l — 25), which leads to 

F5 

TO^[2of + 75 — - — 35^] < 0, 

and hence 

Indeed, for a = 1, we obtain the results of Section El The expression shows that 
when a < 1 our attack becomes even stronger. For instance, if e « then 

RSA is insecure whenever d < for 5 < | « 0.422. Note that if e « A^^/s 

then d must satisfy d > 

When a = ^ the bound implies that 5 = 0. Consequently, the attack be- 
comes totally ineffective whenever e > This is an improvement over 

Wiener’s bound, which become ineffective as soon as e > N^'^. 



6 Experiments 

We ran some experiments to test our results when d > Our experiments 

were carried out using the LLL implementation available in Victor Shoup’s NTL 
library. In all our experiments LLL produced two independent relations g\{x,y) 
and g 2 {x,y). In every case, the resultant h{y) := Kes{gi{x,y), g 2 {x,y), x) with 
respect to x was a polynomial of the form h{y) = {y + p + q)hi(y), with hi(y) 
irredicible over Z (similarly for x). Hence, the unique solution (xo,yo) was cor- 
rectly determined in every trial executed. Below we show the parameters of some 
attacks executed. 



n 


5 


m 


t 


lattice dimension 


running time 


1000 bits 


0.265 


5 


3 


39 


45 minutes 


3000 bits 


0.265 


5 


3 


39 


5 hours 


10000 bits 


0.255 


3 


1 


14 


2 hours 
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These tests were performed under Solaris running on a 400MHz Intel Pentium 
processor. In each of these tests, d was chosen uniformly at random in the range 
(thus guaranteeing the condition d > The last row of the 

table is especially interesting as it is an example in which our attack breaks 
RSA with a d that is 50 bits longer than Wiener’s bound. 

7 Conclusions and Open Problems 

Our results show that Wiener’s bound on low private exponent RSA is not tight. 
In particular, we were able to improve the bound from d < to d < 

Using an improved analysis of the determinant, we can show d < ^ 0 . 292 ^ 
results also improve Wiener’s attack when large values of e are used. We showed 
that our attack becomes ineffective only once e > In contrast, Wiener’s 

attack became ineffective as soon as e > N^-^. 

Unfortunately, we cannot state our attack as a theorem since we cannot prove 
that it always succeeds. However, experiments that we carried out demonstrate 
its effectiveness. We were not able to find a single example where the attack 
fails. This is similar to the situation with many factoring algorithms, where one 
cannot prove that they work; instead one gives strong heuristic arguments that 
explain their running time. In our case, the heuristic “assumption” we make is 
that the two shortest vectors in an LLL reduced basis give rise to algebraically 
independent polynomials. Our experiments confirm this assumption. We note 
that a similar assumption is used in the work of Bleichenbacher S'lid Jutla j5|. 

Our work raises two natural open problems. The first is to make our attack 
rigorous. More importantly, our work is an application of Coppersmith’s tech- 
niques to bivariate modular polynomials. It is becoming increasingly important 
to rigorously prove that these techniques can be applied to bivariate polynomials. 

The second open problem is to improve our bounds. A bound of d < ^ 

cannot be the final answer. It is too unnatural. We believe the correct bound in 
d < We hope our approach eventually will lead to a proof of this stronger 

bound. 
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Abstract. In this paper we present a new cryptanalytic technique, based 
on impossible differentials, and use it to show that Skipjack reduced 
from 32 to 31 rounds can be broken by an attack which is faster than 
exhaustive search. 

Key words: Skipjack, Cryptanalysis, Differential cryptanalysis. Impos- 
sible differentials. 



1 Introduction 

Differential cryptanalysis ^ traditionally considers characteristics or differen- 
tials with relatively high probabilities and uses them to distinguish the correct 
unknown keys from the wrong keys. When a correct key is used to decrypt the 
last few rounds of many pairs of ciphertexts, it is expected that the difference 
predicted by the differential appears frequently, while when a wrong key is used 
the difference occurs less frequently. 

In this paper we describe a new variant of differential cryptanalysis in which 
a differential predicts that particular differences should not occur (i.e., that their 
probability is exactly zero), and thus the correct key can never decrypt a pair of 
ciphertexts to that difference. Therefore, if a pair is decrypted to this difference 
under some trial key, then certainly this trial key is not the correct key. This is 
a sieving attack which finds the correct keys by eliminating all the other keys 
which lead to contradictions. 

We call the differentials with probability zero Impossible differentials, and 
this method of cryptanalysis Cryptanalysis with impossible differentials. 

We should emphasize that the idea of using impossible events in cryptanaly- 
sis is not new. It is well known [7] that the British cryptanalysis of the German 
Enigma in world war II used several such ideas (for example, a plaintext letter 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 12-fm 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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could not be encrypted to itself, and thus an incorrectly guessed plaintext could 
be easily discarded). The first application of impossible events in differential 
cryptanalysis was mentioned in pj , where zero entries in the difference distribu- 
tion tables were used to discard wrong pairs before the counting phase. A more 
recent cryptanalytic attack based on impossible events was described by Biham 
in 1995 in the cryptanalysis of Ladder-DES, a 4-round Feistel cipher using DES 
as the F function. This cryptanalysis was published in [3|, and was based on the 
fact that collisions cannot be generated by a permutation. A similar technique 
was latter used by Knudsen in his description of DEAL a six-round Feistel 
cipher using DES as the F function. Although the idea of using impossible events 
of this type was natural in the context of Feistel ciphers with only a few rounds 
and with permutations as the round function, there was no general methodology 
for combining impossible events with differential cryptanalytic techniques, and 
for generating impossible differentials with a large number of rounds. 

In this paper we show that cryptanalysis with impossible differentials is very 
powerful against many ciphers with various structures. We describe an impossible 
differential of Skipjack HSl which ensures that for all keys there are no pairs 
of inputs with particular differences with the property that after 24 rounds of 
encryption the outputs have some other particular differences. This differential 
can be used to (1) attack Skipjack reduced to 31 rounds (i.e.. Skipjack from 
which only the first or the last round is removed), slightly faster than exhaustive 
search (using 2^"^ chosen plaintexts and 2^^ memory), (2) attack shorter variants 
efficiently, and (3) distinguish whether a black box applies a 24-round variant 
of Skipjack, or a random permutation. In a related paper j^] we describe the 
application of this type of cryptanalysis to IDEA m and to Khufu ca. which 
improves the best known attacks on these schemes. 

For conventional cryptanalysis of Skipjack with smaller numbers of rounds 
we refer the reader to 0 and to 0. 

The paper is organized as follows: The description of Skipjack is given in 
Section 121 The 24-round impossible differential of Skipjack is described in Sec- 
tion |51 In Section 0 we describe a simple variant of our attack against Skipjack 
reduced to 25 and to 26 rounds, and in Section0we describe our main attack ap- 
plied against Skipjack reduced to 31 rounds. Finally, in Section0we discuss why 
the attack is not directly applicable to the full 32-round Skipjack, and summa- 
rize the paper. In the Appendix we describe an automated approach for finding 
impossible differentials. 



2 Description of Skipjack 

Skipjack is an iterated blockcipher with 32 rounds of two types, called Rule A 
and Rule B. Each round is described in the form of a linear feedback shift register 
with additional non linear keyed G permutation. Rule B is basically the inverse 
of Rule A with minor positioning differences. Skipjack applies eight rounds of 
Rule A, followed by eight rounds of Rule B, followed by another eight rounds of 
Rule A, followed by another eight rounds of Rule B. The original definitions of 
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Rule A 


RuleB 


= G^{wi) (B W 4 (B counter'^ 




^k+i ^ 


^fc+i ^ c''=(wf) 


wj+i = 


= IV 4 (Bw 2 (B counter^ 


= wl 


= wl 



Fig. 1. Rule A and Rule B 



Rule A and Rule B are given in Figure ^ where counter is the round number 
(in the range 1 to 32), and where G is a four-round Feistel permutation whose 
F function is defined as an 8x8-bit S box (called the F table), and each round 
of G is keyed by eight bits of the key. The key scheduling of Skipjack takes a 
10-byte key, and uses four of them at a time to key each G permutation. The 
first four bytes are used to key the first G permutation, and each additional 
G permutation is keyed by the next four bytes cyclically, with a cycle of five 
rounds. 

The description becomes simpler if we unroll the rounds, and keep the four 
elements in the shift register stationary. Figure El describes this representation 
of Skipjack (only the first 16 rounds out of 32 are listed; the next 16 rounds are 
identical except for the counter values). The unusual structure after round 8 (and 
after round 24) is the result of simplifying the two consecutive XOR operations 
at the boundary between Rule A and Rule B rounds. 



3 A 24-Round Differential with Probability Zero 

We concentrate on the 24 rounds of Skipjack starting from round 5 and ending 
at round 28 (i.e., without the first four rounds and the last four rounds). For 
the sake of clarity, we use the original round numbers of the full Skipjack, i.e., 
from 5 to 28, rather than from 1 to 24. Given any pair with difference only in the 
second word of the input of round 5, i.e., with a difference of the form (0, a, 0, 0), 
the difference after round 28 cannot be of the form (6, 0,0,0), for any non-zero 
a and b. 

The reason that this differential has probability zero can be explained as a 
miss in the middle combination of two 12-round differentials with probability 1: 
As Wagner observed in ini, the second input word of round 5 does not affect the 
fourth word after round 16, and given an input difference (0, a, 0, 0) the difference 
after 12 rounds is of the form (c, d, e, 0) for some non-zero c, d, and e. On the 
other hand, we can predict the data after round 16 from the output difference of 
round 28, i.e., to consider the differentials in the backward direction. Similarly 
to the 12-round differential with probability 1, there is a backward 12-round 
differential with probability 1. It has the difference (6, 0,0,0) after round 28, 
and it predicts that the data after round 16 must be of the form (f,g, 0 ,h) 
for some non-zero /, g, and h. Gombining these two differentials, we conclude 



Cryptanalysis of Skipjack Reduced to 31 Rounds 



15 




Fig. 2. Skipjack 
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that any pair with difference (0,a, 0,0) after round 4 and difference (6, 0,0,0) 
after round 28 must have differences of the form (c, d, e, 0) = (/, g, 0, h) after 
round 16 for some non-zero c, d, e, f, g, and h. As e and h are non-zero, we 
get a contradiction, and thus there cannot be pairs with such differences after 
rounds 4 and 28. 

One application of this differential may be to distinguish whether an encryp- 
tion black box is a 24-round Skipjack (from round 5 to round 28), or a random 
permutation. Identification requires only to feed the black box with 2^®a pairs 
(for some a) with differences of the form (0,a, 0,0), and to verify whether the 
output differences are of the form (6, 0,0,0). If for some pair the output dif- 
ference is of the form (6, 0,0,0), the black box certainly does not apply this 
variant of Skipjack. On the other hand, if the black box implements a random 
permutation, there is only a probability of that none of the 2^®a pairs has 
a difference (5, 0, 0, 0). For example, given 2®^ pairs the probability of the black 
box to be incorrectly identified as this variant of Skipjack is only « 10“^. 
These pairs can be packed efficiently using structures of 2^® plaintexts which 
form 2®^ pairs. In these structures all the plaintexts are equal except for the sec- 
ond word which ranges over all the possible 2^® values. Using these structures, 
the same distinguishing results can be reached using only 2®®a encryptions. 

4 Attack on Skipjack Reduced to 25-26 Rounds 

In this section we describe the simplest cryptanalysis of Skipjack variants, with 
only one or two additional rounds (on top of the 24-round impossible differential 
itself). An attack on a 25-round variant of Skipjack from round 5 to round 29 is 
as follows. Choose structures of 2^® plaintexts which differ only at their second 
word, having all the possible values in it. Such structures propose about 2®^ pairs 
of plaintexts. Given 2^^ such structures (2®® plaintexts), collect all those pairs 
which differ only at the first two words of the ciphertexts; by the structure of 
Skipjack, only these pairs may result from pairs with a difference (6, 0, 0, 0) after 
round 28. On average only half of the structures propose such pairs, and thus only 
about 2^® pairs remain. Denote the ciphertexts of such a pair by (Ci, C2, C3, C 4 ) 
and (CC, C|, C3, C4). The pair may have a difference of the form (6, 0, 0, 0) before 
the last round only if the decrypted values of C\ and C* by the G permutation in 
the last round have difference C 2 = C 2 (B C^- As we know that such a difference 
is impossible, every key that proposes such a difference is a wrong key. For each 
pair we try all the 2®^ possible values of the subkey of the last round, and verify 
whether the decrypted values by the last G permutation have the difference 
C 2 (this process can be done efficiently in about 2®® steps). It is expected that 
about 2®® values propose this difference, and thus we are guaranteed that these 
2®® values are not the correct subkey of the last round. After analyzing the 2^® 
pairs, there remain only about 2®^ • (1 — 2“®®)^ = 2®^ -e”®^ « 2“®® wrong values 

of the subkey of the last round. It is thus expected that only one value remains, 
and this value must be the correct subkey. The time complexity of recovering this 
last 32-bit subkey is about 2®'’ • 2^® = 2®® G permutation computations. Since 
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each encryption consists of about 2® applications of G, this time complexity 
is equivalent to about 2^^ encryptions. A straightforward implementation of 
the attack requires an array of 2^^ bits to keep the information of the already 
identified wrong keys. A more efficient implementation requires only about 2^^ 
G computations on average, which is about 2^^ encryptions, and using 2^® bits 
of memory. 

Essentially the same attack works against a 26-round variant from round 4 
to round 29. In this variant, the same subkey is used in the first and last rounds. 
The attack is as follows: Ghoose 2® structures of 2®^ plaintexts which differ only 
in the first two words and get all the 2®^ values of these two words. Find the 
pairs which differ only in the first two words of the ciphertexts. It is expected 
that about 2®-2®®/2®^ = 2®^ pairs remain. Each of these pairs propose one wrong 
subkey value on average, and thus with a high probability after analysis of all 
the pairs only the correct first/last subkey remains. The time complexity of this 
attack when done efficiently is 2^®, using an array of 2^® bits. The rest of the key 
bits can be found by exhaustive search of 2^® keys, or by more efficient auxiliary 
techniques. 



5 Cryptanalysis of Skipjack Reduced to 31 Rounds 

For the cryptanalysis of Skipjack reduced to 31 rounds, we use again the 24- 
round impossible differential. We first analyze the variant consisting of the first 
31 rounds of Skipjack, and then the variant consisting of the last 31 rounds of 
Skipjack. 

Before we describe the full details of the attack, we wish to emphasize several 
delicate points. We observe that the full 80-bit key is used in the first four 
rounds (before the differential), and is also used in the last three rounds (after 
the differential). Therefore, the key-elimination process should discard 80-bit 
candidate keys. Assuming that the verification of each of the 2®® keys costs at 
least one G computation, and as one G computation is about 31 times faster 
than one encryption, we end up with an attack whose time complexity is at least 
2®®/31 « 2^® encryptions. This lower bound is only marginally smaller than 
exhaustive search, and therefore the attack cannot spend more than a few G 
operations verifying each key, and cannot try each key more than a few times. 

We next observe that if the impossible differential holds in some pair, then the 
third word of the plaintexts and the third and fourth words of the ciphertexts 
have zero differences, and the other words have non-zero differences. Given a 
pair with such differences, and assuming that the differential holds, we get three 
16-bit restrictions in rounds 1, 4, and 29. Therefore, we expect that a fraction 
of 2“^® of the keys, i.e., about 2®^ keys, encrypt the plaintext pair to the input 
difference of the differential after round 4, and decrypt the ciphertext pair to the 
output difference of the differential before round 29. Once verified, these keys 
are discarded. These 2®^ keys must be discarded with complexity no higher than 
2®^ as we mentioned earlier. Thus, we cannot try all the 2®® keys for each pair, 
but rather, we devise an efficient algorithm to compute the 2®^ keys. 
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The general structure of the attack is thus expected to be as follows: we 
generate a large structure of chosen plaintexts and select the pairs satisfying the 
required differences. We analyze these pairs, and each of them discards about 
2^^ keys. After the analysis of 2“^® pairs, about 2®° (not necessarily distinct) 
keys are discarded. We expect that due to collisions, about 1/e of the keys 
remain undiscarded. The analysis of additional pairs decreases the number of 
undiscarded keys, until after about 2^® In 2®° « 2^® • 2® pairs only the correct key 
remains. However, the complexity of such an attack is higher than the complexity 
of exhaustive search. 

Therefore, we analyze only 2"^® pairs, leaving about 2®®/e^ « 2^^ keys undis- 
carded, and then try the remaining keys exhaustively. We emphasize that the 
analysis discards keys which cause partial encryption and decryption of a valid 
pair to match the form of the impossible differential. We thus assume in the 
attack that the differences proposed by the impossible differential do hold, and 
discard all keys which confirm this false assumption. 

We are now ready to describe the attack. We choose 2 ^^ plaintexts whose 
third words are equal. Given the ciphertexts, we sort (or hash) them by their 
third and fourth words, and select pairs which collide at these words. It is ex- 
pected that about = 2 ^^ pairs are selected. 

Each selected pair is subjected to the following analysis, consisting of four 
phases. In the first phase we analyze the first round. We know the two inputs of 
the G permutation, and its output difference. This G permutation is keyed by 
32 bits, and there are about 2^® of the possible subkeys that cause the expected 
difference. This can be done in 2^® steps, by guessing the first two bytes of 
the subkeys, and computing the other two bytes by differential cryptanalytic 
techniques. As the subkeys of the first and last rounds are the same, we can peel 
off the last round for each of the possible subkeys. 

We then analyze round 4. We know the input and output differences of the 
G permutation in round 4. Due to the complementation properties jiFI of the 
G permutation, we can assume that the inputs are fixed to some arbitrary pair 
of values, and find about 2^® candidate subkeys corresponding to these values. 
The complexity of this analysis is 2^®. We can then complete all the possible 
combinations of inputs and subkeys using the complementation properties. The 
analysis of round 29 is similar. We now observe that the same subkey is used 
in round 4 and in round 29. The possible subkeys of rounds 4 and 29 are kept 
efficiently by using the complementation property, and thus we cannot directly 
search for two equal subkey values. Instead, we observe that the XOR value 
of the first two subkey bytes with the other two subkey bytes is independent of 
complementation, and we use this XOR value as the common value which is used 
to join the two lists of subkeys of both rounds. By a proper complementation we 
get a list of about 2^® tuples of the subkey, the input of round 4 and the output 
of round 29. The complexity of this analysis is about 2^® steps. This list can still 

^ The G permutation of Skipjack has 2^® — 1 complementation properties: Let O = 
Gk(I), and let d = (do,di) beany 16-bit value. Then 0©d = 
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be subjected to the complementation property to get all the (about 2^^) possible 
combinations. 

The third phase joins the two lists, into a list of about 2^^ entries of the form 
(cvo, ■ • ■ , CV 5 , X 3 , X 30 ) where cvq, • ■ • , CV 5 are the six key bytes used in rounds 1, 
4, and 29, X 3 is the feedback of the XOR operation in round 3 (i.e., the output 
of the third G permutation), X 30 is the feedback in round 30 (i.e., the input 
of the 30’th G permutation, which is the same in both members of the pair if 
cvq, . . . , CV 5 are correct). For each of these values we can now encrypt the first 
half of round 2 (using CV 4 and CV 5 ) and decrypt the second half of round 3 (using 
X 3 , cvo, and cvi). We can view the second half of round 2 and the first half of 
round 3 as one permutation, which we call G’, which has an additional feedback 
(the third plaintext word) in its middle. We are left now with only two equalities 
involving cvq, . . . , cvg which should hold, as we know the input and output of 
round 30, and we know the two outputs of G’. There is only one solution of 
cve , . . . , cvg on average, and given the solution we find a key which encrypts the 
plaintexts to the input difference of the impossible differential after round 4, and 
decrypts the ciphertexts to the impossible difference before round 29. Therefore, 
we find a key which is certainly wrong, and thus should be discarded. 

In total we find about 2^^ such keys during the analysis of each pair. By 
analyzing 2 '^^ pairs selected from the 2 '^^ chosen plaintexts, we find a total of 
249 . 232 _ 281 keys, but some of them are found more than once. It is expected 
that a fraction of (I — 2“®°)^ = I/e^ « 1/8 of the keys are not discarded. These 

keys are then tested by trial encryptions in the fourth phase. 

To complete the description of the attack we should describe two delicate im- 
plementation details: The first detail describes how to find the subkey cvg , . . . , cvg 
using one table lookup. The inputs and outputs of G and G’ consist of 80 bits, 
and for each choice of the 80-bit query there is on average only one solution 
for the subkey. Therefore, we could keep a table of 2®° entries, each storing the 
solution(s) for a specific query. But the size of this table and the time of its pre- 
computation are larger than the complexities we can afford. Instead, we observe 
that the complementation property of the G permutation ^ enables us to fix 
one of the input words (say to zero) by XORing the other input, the two outputs, 
and the proposed subkeys (excluding the intermediate feedback of G’) by the 
original value of this input. We can, therefore, reduce the size of the table to 2®“^, 
and the precomputation time to 2^^ as well. Each entry of the table contains on 
average one 32-bit subkey. The size of the table can be halved by keeping only 
the first 16 bits of the subkey, observing that the second half can then be easily 
computed given the first half. 

The second delicate implementation detail is related to the way we keep 
the list of discarded keys. The simplest way is to keep the list in a table of 
2®° binary entries whose values are initialized to 0, and are set to 1 when the 
corresponding keys are discarded. But again, this table is too large (although its 
initialization and update times are still considerably faster than the rest of the 
attack). Instead, we observe that we can perform the attack iteratively (while 
caching the results of phase 2), where in each iteration we analyze only the keys 
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Rounds Chosen Steps 
Plaintexts 



25 ( 5 - 29 ) 


2 ®® 


2^y 


26 ( 4 - 29 ) 


238 


249 


28 ( 1 - 28 ) 


234 


2 "" 


29 ( 1 - 29 ) 


234 


2 "" 


30 ( 1 - 30 ) 


234 


2 "" 


31 ( 1 - 31 ) 


241 


278 


31 ( 2 - 32 ) 


234 


278 



Table 1. Complexities of Chosen Plaintext Attacks Against Reduced-Round 
Skipjack 



whose first two bytes cvg and cvi are fixed to the index of the iteration. This 
modification can be performed easily as the attack guesses these two bytes in its 
first phase, and each guess leads to independent computations. We thus perform 
exactly the same attack with a different order of instructions. As the first 16 bits 
of the keys are now fixed in each iteration, the number of required entries in the 
table is reduced to 2®"^. 

The complexities of phases 1 and 2 are about 2^® for each pair, and 2"^® -2^® = 
2®® in total for all the pairs. The complexity of phase 3 is as follows: For each pair, 
and for each value in the joined list, we compute two halves of a G permutation 
and solve for cvq, . . . , cvg given the inputs and outputs of the third G and of G’. 
Assuming that this solution costs about one computation of a G permutation, 
the total complexity of phase 3 is 2"^® • 2®^(2 • i -|- 1) = 2®^ computations of a G 
permutation, which is equivalent to 2®^/31 « 2^^ encryptions. The complexity 
of phase 4 is about 2®®/8 = 2^^ encryption. Therefore, the total complexity of 
the attack is about 2^® encryptions, which is four times faster than exhaustive 
search. The average time complexity of the attack is about 2^^, which is also 
four times faster than the average case of exhaustive search. 

An attack on the reduced variant consisting of rounds 2 to 32 requires fewer 
chosen plaintexts, and the same complexity. Given four structures of 2®^ chosen 
plaintexts with words 3 and 4 fixed, we can select the ~ required 

pairs, and apply the same attack to these pairs (exchanging rounds 1 and 32, 
rounds 2 and 31, etc.). This attack can also be applied as a chosen ciphertext 
attack against the variant consisting of rounds 1 to 31 using 2®^ chosen ciphertext 
blocks. 

6 Discussion and Conclnsions 

The best complexities of our attack when applied to reduced-round variants of 
Skipjack are summarized in Table D 

This attack cannot be directly used against the full 32 rounds of Skipjack 
because each pair may discard only about 2^® keys. However, the analysis of 
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phases 1 and 2 (which in the case of the full Skipjack also includes the analysis 
of the last round) cannot be reduced below 2^^ G computations. Therefore, the 
complexity of the attack is lower bounded by 2^®/32 = 2^^ times the number 
of discarded keys (instead of being a few times smaller than the number of 
discarded keys), and thus the time required to eliminate all but the correct key 
is longer than exhaustive search. 

Note that the above attacks against Skipjack are independent of the choice 
of the G permutation or the F table. Also note that if in addition to the 5- 
round cycle of the key schedule. Skipjack had 5-round groups of rules (instead 
of 8-round groups of rules), i.e., had consecutive groups of five rounds of Rule 
A followed by five rounds of Rule B, followed by five Rule A and five Rule B 
rounds, etc, then it would have a 27-round impossible differential. 

We are aware of several impossible differentials of various blockciphers, such 
as a 9-round impossible differential of Feal nm, 7-round impossible differential 
of DES ^5, 20-round impossible differential of GAST-256 PJ, 18-round impos- 
sible differential of Khufu H2|. and 2.5-round impossible differential of IDEA 
m- In a related paper p] we use these impossible differentials to cryptanalyze 
IDEA with up to 4.5 rounds, and to cryptanalyze Khufu with up to 20 rounds. 
Both attacks analyze more rounds than any other published attack against these 
ciphers. 

There are many modifications and extensions of the ideas presented in this 
paper. For example, cryptanalysis with impossible differentials can be used with 
low-probability (rather than zero-probability) differentials, can be used with con- 
ditional characteristics 0 (or differentials), and can be combined with linear m 
(rather than differential) cryptanalysis. 

Designers of new blockciphers try to show that their schemes are resistant 
to differential cryptanalysis by providing an upper bound on the probability of 
characteristics and differentials in their schemes. One of the interesting conse- 
quences of the new attack is that even a rigorously proven upper bound of this 
type is insufficient, and that designers also have to consider lower bounds in 
order to prove resistance against attacks based on impossible or low-probability 
differential properties. 



A Shrinking: An Automated Technique for Finding 
Global Impossible Differentials 

In Section El we used the miss in the middle approach to find the 24-round 
impossible differential of Skipjack. In this appendix we describe an automated 
approach for finding all the impossible differentials which are based on the global 
structure of the cipher. The simplest way to automate the search is to encrypt 
many pairs of plaintexts under various keys, and to conclude that every differ- 
ential proposed by the encrypted plaintexts (i.e., any differential formed by a 
plaintext difference and the corresponding ciphertext difference) is not an impos- 
sible differential. Therefore, by elimination, only differentials that never occur 
in our trials may be impossible. 
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The main problem is that the space of differentials is too large. The prob- 
lem can be greatly simplified when considering wordwise truncated differentials 
whose differences distinguish only between zero and arbitrary non-zero differ- 
ences in the various words (e.g., Skipjack divides the blocks into four words, 
and thus there are only 16 possible truncated plaintext differences, and 16 pos- 
sible truncated ciphertext differences, yielding 256 truncated differentials). By 
selecting various plaintext pairs and computing the ciphertext differences, we 
can easily discard most differentials which are not impossible. However, when 
long blocks are divided into many small words, we may never encounter an input 
pair whose outputs are almost identical, except for a single word. 

To overcome this problem we analyze scaled down variants of the cipher, 
which preserve its global structure but change its local details (including the 
size of words and the definition of the various functions and permutations). In 
many cases, including the impossible differential used against Skipjack in this 
paper, the particular implementation of the G permutation, the F table, and 
the key schedule do not affect the impossible differentials. In such cases, we can 
replace the local operations in the cipher by other operations, maintaining the 
global structure. Moreover, we can also reduce the word size to a smaller word 
size, together with reducing the size of the local operations without affecting the 
impossible differentials. We therefore replace the word size by a few bits (typi- 
cally three, since any invertible function with fewer bits is affine), and replace the 
large functions by appropriate smaller functions^ Impossible differentials result- 
ing from the global structure of the cipher remain impossible even in the scaled 
down variant. As the block size of the new variant is small (e.g., 12 bits in the 
case of Skipjack), we can easily encrypt all the 2^^ plaintexts and calculate all 
their differences (by exhaustive computation of all the 2^^ pairs of plaintexts and 
ciphertexts). By repeating this process for several random independent choices 
of the local functions, and taking the intersection of the resulting impossible dif- 
ferentials, we can get with high probability all the impossible differentials which 
are a consequence of the global structure of the cipher 0 We call this technique 
shrinking. 

Using this approach we searched for the wordwise truncated impossible dif- 
ferentials of Skipjack with various numbers of rounds. We found a large number 
of impossible differentials with fewer than 24 rounds (some of them with more 
than one non-zero word difference in the plaintext or the ciphertext), and con- 
firmed that the longest impossible differential based on the global structure of 
Skipjack has 24 rounds. The most notable shorter impossible differentials of 
Skipjack are (I) the two 23-round impossible differentials (rounds 5-27) which 
are (0,o,0,0) 7^ (5, 0,0,0) and (0,o,0,0) 7^ (0,6, 0,0) (where a and 6 are non- 
zero), and (2) the two 22-round impossible differentials (rounds 5-26) which are 

^ The new functions should preserve the main character of the original functions. 
For example, large permutations should be replaced by smaller permutations, linear 
functions by smaller linear functions, etc. 

® This technique can also find wordwise truncated differentials with probability 1 which 
are based on the global structure of the cipher. 
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( 0 ,a, 0 , 0 ) 7 ^ ( 0 , 6 , 0 , 0 ), and the more useful ( 0 ,a, 0 , 0 ) 7 ^ (x, 0 ,y, 0 ), where x 
and y can have any value. 
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Abstract. This paper compares the parameters sizes and software per- 
formance of several recent constructions for universal hash functions: 
bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, 
evaluation hashing, and MMH hashing. An objective comparison be- 
tween these widely varying approaches is achieved by defining construc- 
tions that offer a comparable security level. It is also demonstrated how 
the security of these constructions compares favorably to existing MAC 
algorithms, the security of which is less understood. 



1 Introduction 

In many commercial applications, protecting the integrity of information is even 
more important than protecting its secrecy. Digital signatures, introduced in 
1976 by Difhe and Heilman are the main tool for protecting the integrity 
of information. They are essential to build a worldwide trust infrastructure. 
However, there are still a significant number of applications for which digital 
signature are not cost-effective: 

— For applications with short messages, the limitation is that signing and ver- 
ifying is too demanding for processors in low-cost smart cards. On a more 
modern processoi0 the combined time of signing and verifying a digital sig- 
nature using RSA, DSA or ECDSA typically exceeds 30 milliseconds. 

— For applications with long messages (several Megabytes), the speed of sign- 
ing is limited by the speed of present-day hash functions, which is about 
100 Mbit/s. 

— Finally, the overhead of a digital signature varies between 25 to 128 bytes, 
and the keys and system parameters require between 80 and a few hundred 
bytes of storage. 

For the reasons indicated above, many applications use conventional MAC 
(Message Authentication Code) algorithms to provide data integrity and data 
origin authentication. MACs do not provide non-repudiation of origin, unlike 
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Flanders (Belgium). 

^ Throughout this paper performance numbers will be given for a 200 MHz Pentium. 
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digital signatures, that can be used in a setting where the parties do not trust 
each other. Moreover, MAGs rely on shared symmetric keys, which requires ad- 
ditional key management functions. Banks have been using MAGs since the 
late seventies P^T?7| for message authentication. Recent applications in which 
MAGs have been introduced include electronic purses (such as Proton and Mon- 
dex) and credit/debit applications (e.g., the EMV specifications). MAGs are also 
being deployed for securing the Internet (e.g., IP security). For all these applica- 
tions MAGs are preferred over digital signatures because they are two to three 
orders of magnitude faster, and MAG results are shorter (typically between 4 
. . . 16 bytes). On present day machines, software implementations of MAGs can 
achieve speeds from 50 . . . 250 Mbit/s, and MAGs require very little resources on 
inexpensive 8-bit smart cards and on the currently deployed Point of Sale (POS) 
terminals. During the last five years, our understanding of MAGs has improved 
considerably, through development of security proofs (Bellare et al. PEE]) and 
new attacks (Knudsen |2,'I) and Preneel and van Oorschot pmsn). 

An important disadvantage of both digital signatures and MAG algorithms 
is that their security is only computational. That implies that an opponent with 
sufficient computing power can in principle forge a message. A second problem 
is that shortcut attacks might exist, which means that forging a message can be 
much easier than expected. This problem can partially be solved by developing 
security proofs; such a proof can reduce the security of a MAG or a digital sig- 
nature scheme to another primitive, such as a pseudo-random function or to a 
problem that is believed to be difficult, such as factoring the product of two large 
primes. However it seems wise to anticipate further progress in cryptanalysis of 
specific primitives. In the nineties we have witnessed the development of differ- 
ential attacks |E], linear attacks m, and of the use of optimization techniques 
as in The ultimate solution to this problem is unconditional security. 

The idea of unconditionally secure authentication (and the so-called authen- 
tication codes) dates back to the early seventies, when Simmons was developing 
for Sandia National Laboratories a system for the verification of treaty com- 
pliance, such as the comprehensive nuclear test-ban treaty between the USA 
and the USSR |57]. The motivation for his research was that apparently the 
NSA refused to export strong conventional cryptographic mechanisms to the 
USSR. The first construction of authentication codes appeared in a 1974 paper 
by Gilbert et al. Subsequently their theory has been developed further by 
Simmons, analogous to Shannon’s theory of secrecy systems m An overview 
of the theory of authentication codes can be found in the work of Simmons m 
and Stinson m- In the seventies and the eighties, the research on authentica- 
tion codes in the cryptographic community focussed mainly on the properties 
of authentication codes that meet certain bounds (such as perfect authentica- 
tion codes, cf. EH). While this work illustrates that combinatorial mathematics 
and information theory provides powerful tools to develop an understanding of 
cryptographic primitives, it was widely believed that this work was of purely 
academic interest only. 



26 



Wim Nevelsteen and Bart Preneel 



This is the more surprising because Carter and Wegman developed already in 
the late seventies efficient authentication codes under the name of strongly uni- 
versal hash functions iraini . They show that this is an interesting combinatorial 
tool that can be applied to other problems as well (such as interactive proof sys- 
tems, pseudo-random number generation, and probabilistic algorithms). Carter 
and Wegman make the following key observations: i) long messages can be au- 
thenticated efficiently using short keys if the number of bits in the authentication 
tag is increased slightly compared to ‘perfect’ schemes; ii) if a message is hashed 
to a short authentication tag, weaker properties are sufficient for the first stage 
of the compression; iii) under certain conditions, the hash function can remain 
the same for many plaintexts, provided that the hash result is encrypted using 
a one-time pad. Mehlhorn and Vishkin propose more efficient constructions in 
m At Crypto’82, Brassard pointed out that combining this primitive with a 
pseudo-random string generator will result in efficient computationally secure 
message authentication with short keys HH. 

In the beginning of the nineties, the two ‘independent’ research threads are 
brought together. Stinson improves the work by Wegman and Carter, and es- 
tablishes an explicit link between authentication codes and strongly universal 
hash functions m- A second important development is that Johansson, Kaba- 
tianskii, and Smeets establish a relation between authentication codes and codes 
correcting independent errors m- This provides a better understanding of the 
existing constructions and their limitations. 

During the last five years, progress has been made both in theory and practice 
of universal hash functions. Krawczyk has proposed universal hash functions 
that are linear with respect to bitwise xor I21ES!. This property makes it easier 
to reuse the authentication code (with the same key): one encrypts the m-bit 
hash result for each new message using a one-time pad. This approach leads to 
simple and efficient constructions based on polynomials and Linear Feedback 
Shift Registers (LFSRs). Other constructions based on polynomials over finite 
fields are proposed and analyzed by Shoup isnj. Shoup and Afanassiev et 
al. study efficient software implementations of this primitive. Another line of 
research has been to improve the speed at the cost of an increased key size and 
size of the authentication tag. Rogaway has introduced bucket hashing in 
a slower variant with shorter keys was proposed by Johansson in m Halevi 
and Krawczyk have developed an extremely fast scheme (MMH) which makes 
optimal used of the multiply and accumulate instruction of the Pentium MMX 
processor n^. Recently Black et al. have further improved the performance on 
high end processors with the UMAC construction |5|. 

While it is clear that authentication codes (or universal hash functions) have a 
large potential for certain applications, they are not widely known to application 
developers. Some of the reasons might be that the research is too new, and 
that it is difficult to choose among the many schemes. For example, Halevi and 
Krawzcyk write “An exact comparison is not possible since the data available 
on the most efficient implementations of other functions are based on different 
platforms” fOl P- 174]. The latter problem makes it more difficult to introduce 
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them into standards. For the time being, there is also a lack of public domain 
implementations, that can demonstrate the benefits of this approach. 

This paper intends to solve part of these problems by providing an objective 
comparison of performance and parameter sizes for the most promising construc- 
tions. For three related universal hash functions, similar work has been done by 
Shoup m- Atici and Stinson [3 provide an overview of the general parameters 
of several schemes, but do not discuss the performance. 

The remainder of this paper is organized as follows, ^introduces the most 
important definitions, and ^ presents the constructions that will be compared in 
this paper. The comparison of implementation speeds and memory requirements 
of the different schemes is presented in a and a contains some concluding 
remarks. 



2 Definitions and Background 

This section presents the model for authentication without secrecy. Next univer- 
sal hash functions and strongly universal hash functions are introduced, and it 
is explained how they can be combined. 

2.1 Authentication Codes 

As usually in cryptography, the main players are the sender Alice, who wants 
to send some information to the receiver Bob; the opponent of Alice and Bob is 
the active eavesdropper Eve. Here, Alice and Bob are not concerned about the 
secrecy of the information. In order to detect the actions of Eve, Alice attaches to 
the plaintext an authentication tag that is a function of a shared secret key and 
of the plaintext. Bob recomputes the tag and accepts the plaintext as authentic 
if the tag is the same. As in the Vernam scheme, the secret key can be used only 
once. 

Eve can perform three types of attacks: (i) Eve can create a new plaintext 
and send it to Bob, pretending that it came from Alice (impersonation attack); 
(ii) Eve can wait until she observes a plaintext and replace it by a different 
plaintext (substitution attack); (iii) Eve can choose freely between both strate- 
gies (deception attack). The probability of success (when the strategy of Eve 
is optimal) will be denoted with Pi, Pg, and Pd respectively. A first result that 
follows from Kerckhoffs’ assumption (namely that the strategy to choose the key 
is known by Eve) is that Pd = max(Pi, Pg) [27| . 

In the following the length (in bits) of the plaintext, authentication tag, and 
key is denoted with m, n, and k respectively. The combinatorial bounds state 
that Pi and Pg are at least 1 /2" . In the following we will consider only schemes for 
which Pi = 1/2". Another important bound is the square root bound; it states 
that Pd > 1/2^/^. This is a corollary of the ‘authentication channel capacity 
theorem’ which states that an authentication code can only be secure if the 
authentication tag reveals a significant amount of information on the secret key 
(see Massey m for details). 
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Stinson proves that if = Pg = 1/2™, the number of plaintexts is at most 
a linear function of the number of keys m- This shows that schemes of this 
type require large keys for large messages, which makes them impractical. On 
the other hand, Kabatianskii et al. showed that if Pg exceeds Pi by an 
arbitrarily small amount, the number of plaintexts grows exponentially with the 
number of keys. This research developed from exploring connections to the rich 
theory of error-correcting codes, and connects to the work of Wegman and Carter 
113101 . The disadvantage of Pg > 1/2" is that for a given security level (say, 
Pd = 1/2®^), slightly more than 64 bits are required for the authentication tag. 
While ^3 shows efficient constructions that require only a single extra bit, in 
practice one can afford to send one or more extra bytes. 

2.2 Universal Hash Functions 

A universal hash function is a mapping from a finite set A with size a to a finite 
set B with size b. For a given hash function h and for a pair (x, x') with x ^ x' 
the following function is defined: Sh{x,x') = 1 if h{x) = h{x'), and 0 otherwise. 
For a finite set of hash functions H (in the following this will be denoted with 
a, family of hash functions), 6h{x,x') is defined as x'), or 5h{x,x') 

counts the number of functions in H for which x and x' collide. When a random 
choice of h is made, then for any two distinct inputs x and x' , the probability 
that these two inputs yield a collision equals 6h{x, x')/ \H\. For a universal hash 
function, the goal is to minimize this probability together with the size of PI . 

Definition 1. Let e he any positive real number. An e-almost universal family 
(or e-AU family) PI of hash functions from a set A to a set B is a family of 
functions from A to B such that for any distinct elements x^x' G A 

\ {h G H : h{x) = h{x')} \ = 6 h{x, x)<e- \H\ . 

This definition states that for any two distinct inputs the probability for a colli- 
sion is at most e. In mi the case e = 1/6 is called universal; the smallest possible 
value for e is (a — 6)/(6(a — 1)). 

Definition 2. Let e be any positive real number. An e-almost strongly uni- 
versal family (or e-ASU family) H of hash functions from a set A to a set B is 
a family of functions from A to B such that 

— for every x & A and for every y G B, \ {h G H : h{x) = y} \ =|P| /b, 

- for every Xi,X 2 G A (xi ^ X 2 ) and for every yi,y 2 G B (yi ^ 2 / 2 /, 

\ {hG H : h{xi) = yi,h{x 2 ) = 2 / 2 } | < e- \H\ jb . 

The first condition states that the probability that a given input x is mapped to 
a given output y equals 1/6. The second condition implies that if Xi is mapped 
to 2 / 1 , then the conditional probability that X 2 (different from xi) is mapped to 
2/2 is upper bounded by e. The lowest possible value for e equals 1/6 and this 
family has been called strongly universal functions in m- For this family the 
first condition in the definition follows from the second one m- 
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If an Abelian group can be defined in the set B using the operation 0 (bitwise 
exclusive-or), Krawczyk defines the following variant m (the terminology is 
from IHHI): 

Definition 3. Let e be any positive real number. An e-almost XOR universal 
family ( or e-AXU family) H of hash functions from a set A to a set B is a family 
of functions from A to B such that for any distinct elements x,x' G A and for 
any b € B 

\{h£H : h(x) © h{x') =b}\<e-\H\ . 

It follows directly from the definition that e-ASU families of hash functions 
are equivalent to authentication codes with = 1/b and Ps = e [1.39141 )j . 

Theorem 4. There exists an e-ASU family H of hash functions from A to B 
iff there exists an authentication code with a plaintexts, b authenticators and 
k = \H\ keys, such that Pi = 1/b and Ps < e. 

A similar result has been proved by Krawczyk for e-AXU families laEO). 

Theorem 5. There exists an e-AXU family H of hash functions from A to B 
iff there exists an authentication code with a plaintexts, b authenticators and 
k = \H\ -b keys, such that Pi = 1/b and Pg < e. 

The construction consists of hashing an input using a hash function from H 
followed by encrypting the result by xoring a random element of B (which cor- 
responds to a one-time pad) . 

Rogaway m and Shoup show how the one-time pad can be replaced by 
a finite pseudo-random function (respectively permutation). In addition, they 
develop models for the use of counters and random tags. If the keys are generated 
using a finite pseudo-random function, the unconditional security is lost, but one 
has achieved a clear separation between compression (in a combinatorial way) 
and the final cryptographic step. This makes it easier to analyze and understand 
the resulting scheme. 

2.3 Composition Constructions 

The following propositions show how universal hash functions can be combined 
in different ways in order to increase their domains, reduce e, or decrease the 
range. Several of these results were applied by Wegman and Carter m- 

Proposition 6 (Cartesian Product |39|). If there exists an e-AU family H 
of hash functions from A to B, then, for any integer i > 1, there exists an e-AU 
family H'‘ of hash functions from A® to 5® with \H^\ = \H\ . 

Proposition 7 (Concatenation [33]). If there exists an e\-AU family Hi of 
hash functions from A to B and an C 2 -AU family H 2 of hash functions from A 
to C, then there exists an e-AU family H of hash functions from A to B x C , 
where H = Hi x H 2 , \H\ = \Hi\ ■ \H 2 \ , and e = eiC 2 . 
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Proposition 8 (Composition 1 [,39]). If there exists an ei~AU family Hi of 
hash functions from A to B and an 62 -A U family H2 of hash functions from B 
to C , then there exists an e-AU family H of hash functions from A to C , where 
H = Hi X H2, \H\ = \Hi\ ■ \H2\ , and e = ei + e2 — £162 < £i + £2- 



Proposition 9 (Composition 2 ^89^). If there exists an ei-AU family Hi of 
hash functions from A to B and an e2-ASU family H2 of hash functions from 
B to C, then there exists an e-ASU family H of hash functions from A to C , 
where H = Hi x H2, \H\ = \Hi\ ■ |i?2| , and e = ei + £2 — £i£2 < £1 + £2- 



Proposition 10 (Composition 3 pyj). If there exists an ci-AU family Hi of 
hash functions from A to B and an e2-AXU family H2 of hash functions from 
B to C , then there exists an e-AXU family H of hash functions from A to C , 
where H = Hi x H2, \H\ = \Hi\ ■ \H2\ , and e = £1 + £2 — £i£2 < £1 + £2- 

The most important results are Proposition O and Proposition [nil as they 
allow to use more efficient (in terms of key size and computation) £-AU universal 
hash functions in the first stage of the compression. 

3 Constructions 

The schemes that are discussed here are: bucket hashing, bucket hashing with a 
short key, fast polynomial evaluation, Toeplitz hashing, evaluation hash function, 
the division hash function, and MMH. 



3.1 Bucket Hashing 

The first hashing technique we consider is bucket hashing, which is an £-AU 
introduced by Rogaway (S3|. Fix a word size w > 1 . For M > N the hash 
functions of the family B[w, M, TV] are defined as mappings from A = {0, 1}™^ 
to B — {0, 1}’"^. Each h G B[w, XI, N] is specified by a list of length M, each 
entry of which contains three integers in the interval [0, A^ — 1]. Denote this list 
hy h = hi .. . hill, where hi = {h\, hf, /if, }. The hash family B[w, M, A^] is the 
set of all possible lists h subjected to the constraints that no two of the 3-element 
sets in the list are the same, i.e., hi yf hj, \/i ^ j. 

For a given hash function h = hi . . . hm and a given input X = xi . . . xm the 
hash result h{X) is computed as follows. First, for each j G {1 , . . . , A^}, initialize 
yj to 0™. Then for each i G {1, ■ . ■ ,M} and k G hi, replace yk by yk © Xi. When 
this operation is completed, set h{X) := yi||y2|| ■ • ■ \\un- 

The name bucket hashing is derived from the following interpretation of the 
computation. We start with N empty buckets yi through yn. Each word of the 
input is thrown into three buckets; the Ah word Xi is thrown in the buckets h], 
hi, and /if. Then, the xor of the content in each of the buckets is computed, and 
the hash function output is the concatenation of the final content of the buckets. 
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The bucket hash family is e-AU with the collision probability given by a 
complicated expression in the number N of buckets (see Rogaway, EHl p. 35]). 
It is important to note that the number N of buckets increases very fast if e 
decreases. For example, for e = 2“^® , N = 100 buckets are needed, but for 
e = 2“®^ already 197 buckets are needed. 

Table ^ indicates the performance and parameter sizes for an input block of 
4 Kbyte and a word length w equal to 32. The Assembly code is hand optimized, 
and makes optimal use of the two parallel pipes of the Pentium. Several alter- 
natives have been compared, but it was decided not to use self-modifying code, 
as this poses problems in most applications. For some of these results, we have 
combined several bucket hash functions using the rules from ^2.31 (details are 
omitted due to space constraints). The memory in the table below corresponds 
to the processed key and the hash result; the memory to store the input is not 
included. 

Note that for this hash function only the speed was measured under DOS, 
while for the other schemes (that use a finite field arithmetic library), the speed 
was measured under Windows ’95. Timing measurements under DOS tend to be 
a little better. 

Table 1. Characteristics of bucket-hashing for a block of 4 Kbyte 



€ 


2-16 


2-32 


t>0 

1 

00 


2-64 


Parameters 


M = 256 


M = 1024 


M = 1024 


M = 1024 




A = 24 


N = 160 


N = 62 


N = 160 


Speed (Mbit/s) 


543 


341 


147 


138 


Key (bits) 


3521 


22493 


36582 


44986 


Hash result (bytes) 


384 


640 


496 


1280 


Memory (bytes) 


1152 


3712 


6640 


7424 



We conclude that bucket-hashing is a very fast technique, but it requires a 
long key and a large memory. The hash result becomes very large for small values 
of e. 

3.2 Bucket Hashing with Small Key Size 

The bucket-hashing approach from i |3. II gives rise to e-AU hash functions that 
are very fast to compute, at the cost of a very large key and a long hash result. 
To overcome these disadvantages Johansson proposed bucket hashing with small 
key size izq. 

Let N = 2®/'^. Each hash function h G B'[w, M, N] is specified by a list of 
length M, where each entry contains L integers in the interval [0, N — 1]. Next 
L arrays are introduced, each containing N buckets. Each word from the input 
is thrown in one bucket of each array, based on the list that describes the hash 
function h. Next, each array is compressed to s/ L words, using a fixed primitive 
element 7 G GF(2®/^). The hash result is equal to the concatenation of the L 
compressed arrays, each containing s/L words. 
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Table |2| indicates the performance and parameter sizes for an input block of 
4 Kbyte and a word length w equal to 32. Again the Assembly code is hand 
optimized for the Pentium. It is not possible to use exactly the same values for e 
as for bucket hashing, because the constraints on the parameters (for example, 
L has to divide s). For each value of e, one has to determine the optimal value 
for L. Too large values of L imply that the input has to be thrown in too many 
buckets; too small values of L imply that N becomes too large. 

Table 2. Characteristics of bucket-hashing with small key for a block of 4 Kbyte 



e 


2-18 


2-32 


2-46 


2-62 


Parameters 


s = 28 


s = 42 


s = 224 


s = 72 




L = 4 


L = Q 


r- 

II 

‘-I 


L = 12 




N = 128 


N = 128 


N = 256 


N = 256 


Speed (Mbit/s) 


128 


93 


75 


58 


Key (bits) 


28 


42 


56 


72 


Hash result (bytes) 


112 


168 


224 


288 


Memory (bytes) 


11264 


16896 


25088 


43008 



We conclude that bucket-hashing with small key size results indeed in very 
small keys, at the cost of a factor 2 to 4 in performance (depending on the value 
of e). However, the memory requirements are still large, and the hash results are 
a little shorter. 

3.3 Hash Family Based on Fast Polynomial Evaluation 

The next family of hash functions has been proposed by Bierbrauer et al. 0; it 
is based on polynomial evaluation over a finite field. Let q = 2^ , Q = 2"^ = 2’’+®, 
n = 1 -I- 2®, and tt be a linear mapping from GF(Q) onto GF(( 7 ), where Q — g™, 
q = gj, and go a prime power. Let fa{x) = oq -I- aix where 

X, y, flo, oi, . . . a„_i e GF(Q), z S GF(g) and 

H = {hx,y,z ■ K,y,z{a) = K,y,z{ao, ai, . . . , a„_i) = tt (y • fa{x)) + z} . 

It is shown in 0 that the hash family in the construction above is e-ASU 
with e < 2/2’’. For go = 2, the function is also e-AXU (for other values, a 
different group operation has to be used for the difference). The main step in 
the hash function construction is the evaluation of a polynomial in some point 
determined by the key. Afanassiev, Gehrmann and Smeets 0 have developed 
a very fast construction to evaluate a polynomial fa(x) in an element a (the 
MinWal procedure). This procedure makes use of Minimal kF-nomials. Before 
evaluating the polynomial fa{x) in a, /a (a;) is first reduced modulo the minimal 
kF-nomial Ta^w{x). The minimal VF-nomial Ta,w(x) is a multiple of the minimal 
polynomial of a with the lowest degree and with less than W non-zero terms. 

Table El indicates the performance and parameter sizes for an input blocks of 
4, 64, and 256 Kbyte. Most of the code has been written in G-l— I- (compiled with 
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Borland C++ 5.0). The most critical step, the reduction modulo the minimal 
hU-nomial has been written in Assembly language. Calculations are performed 
in GF(2^^). The maximal input length for one instance is equal to 256 Kbyte; of 
course Proposition El (cf. ij2.3ll can be used for large inputs, and e can be reduced 
using Proposition 0 We can show that for our software, the optimal value for 
W = 5. Finding a minimal 5-nomial requires about 40 seconds using sub-optimal 
code. Note that this operation has be done only for the set-up phase. If one adds 
the (pre-computed) 5-nomials to the key, one needs about 42 bits per additional 
5-nomial. 

Table 3. Characteristics of hashing based on fast polynomial evaluation 



e 


2-15 


2-30 


2-45 


2-60 


Speed 4 Kbyte (Mbit/s) 


9 


5 


3 


2 


Speed 64 Kbyte (Mbit/s) 


104 


56 


34 


25 


Speed 256 Kbyte (Mbit/s) 


207 


87 


50 


38 


Key (bits) 


80 


160 


240 


320 


Hash result (bytes) 


2 


4 


6 


8 


Memory (bytes) 


30 


60 


90 


120 



For large inputs (256 Kbyte or more), the polynomial evaluation hash func- 
tion is rather fast and the keys sizes are reasonable. The two main advantages 
are the very small memory requirements, both for the computation and for the 
storage of the hash result. 



3.4 Hash Family Using Toeplitz Matrices 

The next hash family is the Toeplitz construction proposed by Krawczyk 
Toeplitz matrices are matrices with constant values on the left-to-right diagonals. 
A Toeplitz matrix of dimension n x m can be used to hash messages of length 
m to hash results of length n by vector-matrix multiplication. The Toeplitz 
construction uses matrices generated by sequences of length n + m — 1 drawn 
from (5-biased distributions. i5-biased distributions, introduced by Naor and Naor 

, are a tool for replacing truly random sequences by more compact and easier 
to generate sequences. The lower S, the more random the sequence is. 

Krawczyk proves that the family of hash functions associated with a family 
of Toeplitz-matrices corresponding to sequences selected from a i5-biased distri- 
bution is e-AXU with e = 2“” + (5 j^. He proposes to use the LFSR construction 
due to Alon et al. to construct a (5-biased distribution. This construction asso- 
ciates with r random bits a (5-biased sequence of length I with S = . 

Table 0 indicates the performance and parameter sizes for an input block of 
4 Kbyte and a word length w equal to 32. As pointed out by Krawczyk |2S!, this 
construction is more suited for hardware, and is not very fast in software. In this 
case, the compiled C++ code could not be improved manually. For this version 
of the code, the complete matrix has been stored to improve the performance. 
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Table 4. Characteristics of Toeplitz hashing for a block of 4 Kbyte 



e 


2-16 


2-32 


2-48 


2-64 


Parameters 


n = 17 


n = 33 


n = 44 


n = 65 




r = 68 


r = 88 


r = 120 


r = 142 


Speed (Mbit/s) 


65 


33 


21 


16 


Key (bits) 


68 


88 


120 


142 


Hash result (bytes) 


68 


132 


176 


260 


Memory (bytes) 


2176 


4224 


5632 


8320 



3.5 Evaluation Hash Function 

The evaluation hash function was proposed by Mehlhorn and Vishkin in 1984 
m- It is one of the variants analyzed by Shoup in The input (of length 
< tn) is viewed as a polynomial M{x) of degree < t over GF(2”). The key is a 
random element a G GF(2"), and the hash result is equal to M{a) -a G C?E(2”). 
This family of hash functions is e-AXU with e = t/2”. 

We have written an implementation for n = 64, where GF(2®'^) was repre- 
sented as GF(2)[a;]//(a;), with f{x) = x^^ + x'^ + x^ + x + The evaluation 
of the polynomial is performed using Horner’s rule, and with a precomputation 
of the mapping (3 a ■ (3 with f3 G GF(2"). As in m, two options have been 
considered, that provide a time-memory trade-off. 

For this construction e grows with the number of n-bit blocks in the input. 
The fastest method achieves a speed of approximately 240 Mbit/s in optimized 
Assembly language (122 Mbit/s in C-l— 1-), and requires about 16 Kbyte of mem- 
ory. The second method is about a factor of 7 slower (18 Mbit/s in C-I--I-), but 
requires only 2 Kbyte of memory. Shoup’s implementation in C is a little slower 
than our Assembly version, but faster than our C-I-+ code; the latter can prob- 
ably be explained by better optimization in C versus C-I-+, and maybe by the 
overhead of the operating system (Linux versus Windows ’95). 

3.6 Division Hash Function 

The division hash function was proposed by Krawczyk 123 , inspired by an earlier 
scheme by M.O. Rabin. It represents the input as a polynomial M{x) of degree 
less than tn over GF(2). The hash key is a random irreducible polynomial p{x) 
of degree n over GF(2). The hash result is m{x) ■ a;" modp(a;). Since the total 
number of irreducible polynomials of degree n is roughly equal to 2^ jn, it follows 
that this family of hash functions is e-AXU with e = tn/2”. 

Again, we have written an implementation for n = 64. The main step is the 
reduction, which can be optimized by using a precomputation of the mapping 
g{x) ^ g{x)-x^'^ mod p(cc), with deg 5(2;) < 64. Again, following |23, two options 
were considered, that provide a time-memory trade-off. For the key generation, 
see p5) . 

For this construction e = t/2®®, with t the number of 8-byte blocks in the 
input (for the same value of n, the security level is 6 bits smaller compared to the 
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evaluation hash function). The slower implementation uses 2 Kbyte of memory 
and runs at 14 Mbit/s in C++. Our fastest implementation uses 8 Kbyte of 
memory and achieves a speed of approximately 115 Mbit/s in C++, which is 
still slower than the evaluation hash function (in contrast to the conclusions of 
Shoup m)- Therefore it was decided not to write optimized Assembly language. 

Shoup generalizes this construction to polynomials over GF(2^), where k 
divides n isni. The main conclusion is that for this variant the key generation is 
faster, but the precomputation is a little slower. For n = 64, e = t/2®® (for the 
same value of n, the security is 3 bits better than the simple division hash, but 
3 bits worse than the evaluation hash), and the performance is identical to that 
of the division hash. 



3.7 MMH Hashing 

Halevi and Krawczyk propose MMH (Multilinear Modular Hashing) in . This 
hash function consists of a (modified) inner product between message and key 
modulo a prime p (close to 2*", with w the word length; below w = 32.) MMH 
is an e-AXU, but with xor replaced by subtraction modulo p. The core hash 
function maps 32 32-bit message words and 32 32-bit key words to a 32-bit 
result. The key size is 1024 bits and e = 1.5/2^'^. For larger messages, a tree 
construction can be used based on Proposition El and Proposition [El the value 
of e and the key length have to be multiplied by the height of the tree. 

This algorithm is very fast on the Pentium Pro, which has a multiply and 
accumulate instruction (and on other machines with this feature). On a 32-bit 
machine, MMH requires only 2 instructions per byte for a 32-bit result. We 
have not (yet) implemented MMH, but include the impressive speed given in 
m for a 200 MHz Pentium Pro (optimized Assembly language): 1.2 Gbit/s for 
e = 1.5/2^°, and 500 Mbit/s for e = 1.125/2^® (for large messages, if the data 
resides in cache). Note that this does not take into account the final addition of 
the key. The memory size of the implementation is not mentioned, but 1 Kbyte 
is probably sufficient. 

The Pentium does not have this ‘multimedia’ instruction, and therefore the 
speed is reduced to about 350 Mbit/s for e = 1.5/2^°. However, one can use the 
floating point co-processor; this requires that one reduces the key words from 32 
bits to 27 bits to avoid overflow. This results in about 500 Mbit/s for e = 1.5/2^®, 
and 260 Mbit/s for the double length variant with e « 1.1/2^®. 



4 Comparing the Hash Functions 

In ^ the properties of the different constructions have been listed. However, 
this information does not allow to compare the different schemes. As pointed 
out in yo for message authentication, an e-ASU or an e-AXU combined with 
an encryption are required. For this purpose. Table 0 defines six algorithms that 
provide a comparable functionality. Note that all these functions are e-AXU 
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Table 5. Six schemes for message authentication and a comparison of their 
performance (‘+’ denotes composition) 



Scheme 


Definition 


A 


bucket hash(AU) -I- evaluation hash (AXU) 


B 


bucket hash/short key (AU) -I- evaluation hash (AXU) 


C 


Toeplitz hash (AXU) -1- evaluation hash (AXU) 


D 


fast polynomial evaluation (AXU) 


E 


evaluation hash (AXU) 


F 


MMH (AXU) -b evaluation hash (AXU) 



Scheme 


A 


B 


C 


D 


E 


F 


e 


2-32 


2-32 


2-32 


2-30 


2-49 


1.1 .2-« 


Speed (Mbit/s) 


323 


89 


33 


87 


240 


25Qt 


Key (bits) 


45,114 


170 


216 


160 


128 


1243 


Hash result (bytes) 


8 


8 


8 


4 


8 


8 


Memory (Kbyte) 


64 


26 


12 


0.03 


8 


8.5t 



I estimated 



(some functions need a group operation other than exor such as scheme D with 

9o ^ 2). 

The six algorithms from Table El are applied to an input of 256 Kbyte with as 
goal e « 2“^^. Note that it is not possible to compare these schemes with exactly 
the same parameters, because the value of e for the best performance is typically 
related to the word size of the processor. Messages of 256 Kbyte offer a fair basis 
of comparison, because for shorter messages the performance varies more with 
the message size. By introducing an unambiguous padding rule, one can also 
process shorter inputs with the same code. The constructions can be extended 
easily to larger message lengths, either by extending the basic construction or by 
using trees. The full version of this paper will provide an extended comparison 
for different values of e and input sizes. 

All parameters are chosen to optimize for speed (rather than for memory), 
and the critical part of the code has been written in Assembly language. For 
schemes A, B, C, and F the input is divided into blocks and Proposition El of 
tl2.3l is applied. This has the advantage that the description of the hash function 
fits in the cache memory. The second hashing step for these schemes uses the 
evaluation hash with n = 64. The results are summarized in Table El 

Scheme A: the input is divided into 32 blocks of 8 Kbyte; each block is hashed 
using the same bucket hash function with A = 160, which results in an 
intermediate string of 20480 bytes. 

Scheme B: the input is divided into 64 blocks of 4 Kbyte; each block is hashed 
using the same bucket hash function with short key (s = 42, L — 6, N = 
128), which results in an intermediate string of 10 752 bytes. 

Scheme C: the input is divided into 64 blocks of 4 Kbyte; each block is hashed 
using a 33 X 1024 Toeplitz matrix, based on a (5-biased sequence of length 
1056 generated using an 88-bit LFSR. The length of the intermediate string 
is 8 448 bytes. 
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Scheme D: the input is hashed twice using the polynomial evaluation hash 
function with e = 2“^®, resulting in a combined value of the value of 

W = 5. The performance is slightly key dependent; therefore an average over 
a number of keys has been computed. 

Scheme E: this is simply the evaluation hash function with t = 32 768. Note 
that the resulting value of e is too small. However, choosing a smaller value 
of n that is not a multiple of 32 induces a performance penalty. 

Scheme F: the input is divided into 2048 blocks of 128 bytes; each block is 
hashed twice using MMH. The length of the intermediate string is 16 384 
bytes. It is not possible to obtain a value of e closer to 2“^^ in an efficient 
way. 

Note that for bucket hashing and its variant the speed was measured under DOS, 
while for the other schemes (that use a finite field arithmetic library) , the speed 
was measured under Windows ’95. Timing measurements under DOS tend to be 
a little better. 

The main conclusion is that scheme A, E and F are the fastest schemes. 
Scheme A offers the best performance for e = 2“^^. However, if the application 
needs a smaller value of e (~ 2“"^®), scheme E and F are faster. Moreover, the 
key size and memory size for scheme A are large. If the key is generated using 
a pseudo-random function, or if the expanded key has to be decrypted before it 
can be used, this will introduce a performance penalty (for example, 13.7 msec if 
3-DES is used, which runs at 13.8 Mbit/s and 0.43 msec for SEAL-3, which runs 
at 440 Mbit/s ^ ) . If memory requirements (both for the hash function and for 
the result) are an issue, scheme D is the best solution. It is about 4 times slower 
than scheme A, and requires less memory than scheme B. Note however that 
the other schemes can reduce the memory requirement (for the hash function) 
at the cost of a reduced speed. Scheme E and F offer a reasonable compromise 
between performance and memory requirements; scheme F needs a larger key 
and a powerful multiplier. 

Recently Black et al. have proposed UMAC, that uses a different type of 
inner product. UMAC is faster than MMH on processors with a fast multiplica- 
tion (Pentium II, PowerPC 604). They report a performance of 3.4 Gbit/s on a 
233 MHz Pentium II. The value of e = 2“^°, and the key size is about 32 768 
bits (but slower versions with a shorter key are possible). It is also suggested 
to replace the encryption at the end by a pseudo-random function that takes a 
nonce as second input. 

We provide a comparison with MAC algorithms based on mu. The perfor- 
mance of HMAC m and MDx-MAC jSDl depends on the underlying hash function 
(MDx-MAC is a few percent slower than HMAC). For MD5 |221, SHA-1 [T7j . 
RIPEMD-160, and RIPEMD-128 [E| the speeds are respectively 228 Mbit/s, 
122 Mbit/s, 101 Mbit/s, and 173 Mbit/s (note however that the security of 
MD5 as a hash-function is questionable; this has no immediate impact to its use 
in HMAC and MDx-MAC, but it is prudent to plan for its replacement). For 
CBC-MAC |tiH21)j . the performance corresponds approximately to that of the un- 
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der lying block cipher. For DES m this is 37.5 Mbit/s; for other block ciphers, 
this varies between 20 and 100 Mbit/s. XOR-MAC 0 is about 25% slower. 

5 Concluding Remarks 

The main advantages of universal hash functions are that their security is uncon- 
ditional, and that their speed is comparable to or better than that of currently 
used MAC algorithms. In addition, they are easy to implement and easy to 
parallelize. Finally, they are often incremental ^ (this means that after small 
updates to the input, the output can be recomputed quickly). If they are used 
with a pseudo-random string generator, the unconditional security is lost, but 
what remains is a scheme that is easy to understand (the only cryptographic 
requirement is concentrated in one primitive). 

Applications where universal hash functions can be used are the protection 
of high speed telecommunication networks, video streams, and for the integrity 
protection of file systems. 

Many banking systems currently use unique MAC keys per transaction: for 
each transaction a new MAC key is derived from a master key. Therefore it 
seems natural to replace the MAC algorithms by universal hash functions, but 
with the following caveats: for short messages, the performance advantage of 
universal hash functions is limited. Moreover, constructions based on universal 
hash functions often give away part of their key bits (as an example, an input 
consisting of zero bits is often mapped to a hash result of zero bits). This is 
not a problem for the authentication, because the hash result is encrypted using 
a one-time pad. The opponent cannot exploit this property to forge messages, 
but he can find easily the output bits of the pseudo-random string generator. 
Therefore, any cryptographic weakness in the pseudo-random string generator 
may compromise the master keys, and it would be advisable to invest some of 
the time gained by using a universal hash function in strengthening the pseudo- 
random string generator. The security of the MAC algorithms depends on a 
cryptographic assumption, and thus it might well be possible that one finds a 
way to forge messages. However, for none of the state-of-the art MAC algorithms, 
an attack is known that can recover one or more key bits by observing a single 
text-MAC pair. Therefore an opponent will not be able to learn the MAC keys, 
and mounting an attack on the pseudo-random string generator will probably be 
more difficult (note that there is no proof of this). In summary, universal hash 
functions solve in an elegant and very efficient way the authentication problem, 
but put a higher requirement on the pseudo-random string generator, while MAC 
algorithms divide the (conjectured) cryptographic strength between the MAC 
algorithm and the pseudo-random string generator. 
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Abstract. We prove the first general and non-trivial lower bound for 
the number of times a 1-out-of-n Oblivious Transfer of strings of length I 
should be invoked so as to obtain, by an information-theoretically secure 
reduction, a 1-out-of-N Oblivious Transfer of strings of length L. Our 
bound is tight in many significant cases. 

We also prove the first non-trivial lower bound for the number of random 
bits needed to implement such a reduction whenever the receiver sends 
no messages to the sender. This bound is also tight in many significant 
cases. 



1 Introduction 

The Oblivious Transfer. The Oblivious Transfer (OT) is a fundamental 
primitive in secure protocol design, which has been defined in many different 
ways and contexts (e.g. ini, m, i) and has found enormously many applica- 
tions (e.g. |2|, ini, P, |E|, 0, PS|, 0, |I5, PI]). 

The OT is a protocol typically involving two players, the sender and the 
reeeiver, and several parameters. In the most used form, the (^)-0T2 , the sender 
has N binary secrets of length L, and the receiver gets exactly one of these 
strings, the one he chooses, but no information about any other secret (even if 
he cheats), while the sender (even if she cheats) gets no information about the 
secret learned by the receiver. 

Also important is the notion of a weak Oblivious Transfer, a relaxation of 
the traditional OT. The only difference in a weak (^)-0T2 is that a cheating 
receiver is allowed to obtain partial information about several secrets, but at 
most L bits of information overall. 

Reductions between different OTs. Protocol reductions facilitate protocol 
design because they enable one to take advantage of implementing cryptograph- 
ically only a few, carefully chosen, primitives. Information-theoretic reductions 
are even more attractive, because they guarantee that the security of a complex 
construction automatically coincides with that of the chosen primitive, once the 
latter is implemented cryptographically. 
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But to be really useful, reductions must be efficient. In particular, because 
even the best cryptographic implementation of a chosen primitive may be ex- 
pensive to run, it is crucial that reductions call such primitives as few times as 
possible. 

Because of the importance of OT, numerous reductions from “more com- 
plex” to “simpler” OT appear in the literature (e.g. 0 , 0 , 0 , 0 ). Particular 
attention has been devoted to reducing (^)-OT2 to (")-OT2, where N > n and 
L > £, both in the weak and in the strong case. Typically, these reductions are 
information-theoretically secure if the simpler OT is assumed to be so secure. 

An important class of OT reductions are the ones in which the receiver sends 
no messages to the sender. Such reductions are called natural, both because all 
known OT reductions are of this type (e.g. 0 , 0 , 0 ), and because they imme- 
diately imply that the sender gets no information about the receiver’s index. 

So far, researchers have been focusing on improving the upper bounds of 
these reductions, that is, the number of times one calls (")-OT2 in order to 
construct ('^)-OT2. However, little is known about the corresponding lower 
hounds. Indeed, 

What is the minimum number of times that the given {^)-OT2 must be 

invoked so as to obtain the desired ? 

Lower bounds were previously addressed in the context of very specific reduction 
techniques, and for very specific OTs. For instance, in ^ simple lower bounds 
are derived for reductions of (J)-OT2 to (J)-OT2 that use zigzag functions. 

Another natural resource of a reduction of (’^)-OT2 to (")-OT2 is the 
amount of needed randomness. That is, an OT protocol is necessary probabilistic, 
but 



What is the minimum number of random bits needed in a information- 
theoretically secure reduction of to 

To the best of our knowledge, no significant results have ever been obtained 
about this crucial aspect. 

Our results. In this paper we provide the first general lower bounds for such 
information-theoretic OT reductions, and prove that these bounds are tight in 
significant cases. Namely, we prove that 

— In any information-theoretically secure reduction of (even weak!) ('^)-OT2 
to (")-0T2, the latter protocol must be invoked at least j • times. 

— The lower bound is tight for weak (^)- 0 T 2 . 

— The lower bound is tight for (“strong”) (’^)-OT2 when L = i. 

We also prove the first general lower bound for the amount of randomness needed 
in a natural OT reduction. Namely, 

— In any natural reduction of (even weak) (^)-OT2 to (")-OT2, the sender 

must flip at least coins. 

^ n—1 
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— The lower bound is tight for weak ('^)-OT 2 . 

— The lower bound is tight for (“strong”) (^)-OT 2 when L = £. 

We note that, in a natural reduction, the amount of randomness used by the 
sender necessarily coincides with the total amount of randomness needed by both 
parties. 

We point out the interesting special case when n = 2 and £ = 1, i.e. reduc- 
ing ('^)-0T2 to (^)-0T2, the simplest possible l-out-2 Oblivious Transfer. We 
obtain that we need at least L{N — 1) invocations of (^)-OT 2 and, for a natural 
OT reduction, at least L{N — 2) random bits. 

Lower bounds via information theory. No general lower bound for OT 
reduction would be provable without very precisely and generally defining what 
such a reduction is. Fortunately, one such definition was successfully given by 
Brassard, Crepeau, and Santha based on information theory, and in particular 
the notion of mutual information. This framework is very useful since it allows 
one to define precisely such intuitive (but hard to capture formally) notions as 
“learn at most k bits of information” or “learn no information other than ...”. 

We point out, however, that information theory is much more useful than 
merely defining the problem. Indeed, we shall demonstrate that its powerful 
machinery is essential in solving our problem, for example, in proving our j • 
lower bound on the number of invocations. Only the trivial bound of j appears 
to be provable without information theory. But getting the additional factor 
in the lower bound (which is essential when L = £) requires explicit or implicit 
use of information theory. 

We believe and hope that information theory will prove useful for other types 
of lower bounds in protocol problems. 

2 Preliminaries 

2.1 Information Theory Background 

Let X, Y, Z by random variables over domains X, y, Z. Let us denote by Px{x), 
Px\z{x\z), Px,Y(x,y) the probability distribution of X, conditional probability 
distribution of X given Z, and joint distribution of X and Y respectively. 

Definition 1. 

— The entropy H(X) = ~Y.x Px{x) log 2 Px{x). 

The entropy of a random variable X tells how many truly random bits one 
can extract from X, i.e. how much “uncertainty” is in X. 

— The conditional entropy H{X\Z) is the average over z of the entropy of the 
variable Xz distributed according to Px\z{x\z) (denoted tl{X\Z = z)), i.e. 

U{X\Z) = Y,Pz{z)U{X\Z = z) = -J2 Pz{z) Px\z{x\z) log, Px\z{x\z) 

Z Z X 

H{X\Z) measures how much uncertainty X still has when one knows Z . 
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— The joint entropy of X and Y is the entropy of the joint variable (X,Y), 

i.e. 

= - ^Px,Y{x,y) log2 Px,Y(x,y) 
x,y 

— The mutual information between X and Y is I(X; F) = H(X) — H(X|F). 

— The mutual information between X and Y given Z is I(X; Y\Z) = 11{X\Z) — 

n{x\Y,z). 

The mutual information between X and Y (given Z ) tells how much common 
information is between X and Y (given Z), i.e. by how much the uncertainty 
of X (given Z) decreases after one learns Y. 

The following easily verified lemma summarizes some of the properties we 
will need. 

Lemma 2. 

1. H(x,y) = H(x) + H(F|x) = H(y) + H(x|y). 

2. I(X; Y) = I(y; X) = H(y)-H(y|X) = H(X)-H(X|r) = H(X)+H(F)- 
H(x,y). 

3. i(y, y; y) = i(X; y) + i(y; y\x). 

j. H(X|y) = 0 iff X is a deterministic function ofY. 

5. H{X\Y) < H(y) with equality iff X and Y are independent. 

(Thus, I(y;y) > 0 with equality iff X and Y are independent.) 

6 . i(y;y)<H(x)<iog2|y|. 

7. i(y;y) <i(y;y|y) + H(y). 

<s. H(?7„) = n, where Un is the uniform distribution over n-bit strings. 

2.2 Information-Theoretically Secure OT Reductions 

Assuming some familiarity with the notions of an interactive Turing machine 
(ITM) let us semi-formally define (1) protocols with an ideal (”)-OT 2 and 
then (2) information-theoretically secure reduction of (’^)-OT 2 to (")-OT 2 . 

Despite the difference in presentation, the following definition is a simpli- 
fication of that of pj. (For instance, we simplify it by ignoring the additional 
condition of awareness that is not going to affect our lower bound in any way.) 

Protocols with ideal (")-0T2. Let us denote by a n-sender a probabilistic 
ITM having n special registers, and by a n-receiver is probabilistic ITM having 
a single special register. Let A be a n-sender and B a n-receiver. We say that 
{A,B) is a protocol with ideal (")-OT' 2 ^ if, letting a be a private input for A 
and 6 be a private input for B, the computation of (A, B) proceeds as that of 
pair of ITMs, except that it consists of three (rather than the usual two) types 
of rounds: sender-rounds, receiver-rounds and OT-rounds, where by convention 
the first round always is a sender-round and the last is a receiver-round. In a 
sender-round, only A is active, and it sends a message to B (that will become an 
input to B at the start of the next receiver-round) . In a receiver-round, only B is 
active and, except for the last round, it sends a message to A (this message will 
become an input to A at the start of the next sender-round). In an OT round. 
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(1) A places for each j e [l,n] an ^-bit string aj in its jth special register, and 

(2) B places an integer i G [l,n] in its special register, and 

(3) !7i will become a distinguished input to B at the start of the next receiver- 
round. A will obtain no information about i. 

At the end of any execution of {A, B), B computes a distinguished string called 
B's output. 

Messages and Views. Let (A,B) be a protocol with ideal (”)-OT 2 . Then, in 
an execution of (A, B), we refer to the messages that A sends in a sender-round 
as A’s ordinary messages, and to the strings that A writes in its special registers 
in an OT-round as A’s potential OT messages. For each OT-round, only one of 
the n potential messages will be received by B, and we shall refer to all such 
received messages as B’s actual OT messages. Recalling that both A and B are 
probabilistic, in a random execution of (A, B) where the private input of A is a 
and the private input of B is b, let us denote by VIEW^i [A(a), B(6)] the random 
variable consisting of 

(1) a, (2) A’s coin tosses, and (3) the ordinary messages received by A; 

and let us denote by VIEWb [A(a), B{h)] the random variable consisting of 

(1) b, (2) B’s coin tosses, and (3) all messages (both the ordinary and the 
actual OT ones) received by B. 

Reduction of (^)-0T2 to (”)-0T2. Denote by W the set of all V-long 
sequences of L-bit stings and, given w G W, let Wi be the string of w. 
Denote by W the random variable that selects an element of W with uniform 
probability; by / the random variable selecting an integer in [1, N] with uniform 
probability; and let A be an n-sender and B be an n-receiver. We say that (A, B) 
is an information-theoretically secure reduction of (^)-OT 2 to (")-OT 2 if the 
following three properties are satisfied: 

(PI) (Correctness) Vw G W and Vz G and V execution of {A,B) where 

A’s private input is w and B’s private input is i, 

B’s output is Wi] 

(P2) (Receiver Privacy) V sender A' and V string a' , 

I(VIEWa' [A'( a'), B(/)] ; /) = 0; (1) 

(P3) (Sender Privacy) V receiver B' and string 6', 3 a random variable I G [1, N] 
independent of W s.t. 

1(W ; VIEWS/ [A(W),B'(5')] | IFj) = 0. (2) 

In the context of a reduction of ('^)-OT 2 to (”)-OT 2 , we shall sometimes say 
that we are given (")-OT 2 as a black-box. 
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The Correctness Property states that when A and B are honest, B will al- 
ways obtain the string he wants. The Receiver Privacy Property states that no 
malicious sender A' can learn any information about the index of the honest 
receiver B. Finally, the Sender Privacy Property states that a malicious receiver 
B' can learn information about at most one of N strings of the sender A. More- 
over, the index I of this single string cannot depend on W (e.g. we don’t want 
B' to learn the first string in W that starts with 10). In other words, both A 
and B do not gain anything by not following the protocol. 



Reduction of weak (^)-0T2 to (”)-0T2. We call (A,B) an information- 
theoretically secure reduction of weak (^)-OT 2 to (”)-OT 2 if all the properties 
of the reduction of ('^)-OT 2 to (”)-OT 2 hold except (Sender Privacy) is relaxed 
to the following: 

(P3') (Weak Sender Privacy) V receiver B' and string b' 

I(W ; VlEWB'[A{W),B'{b')]) < L. (3) 

This property says that we allow a malicious receiver B' to obtain partial infor- 
mation about possibly several strings, provided he learns no more than L bits of 
information overall. To emphasize the difference, we will sometimes refer to the 
(regular) reduction between ('^)-OT 2 and (")-OT 2 as reducing strong ('^)-OT 2 
to (")-0T2. To justify this terminology, we show 

Lemma 3. If (A,B) is a reduction of (strong) to {^)-OT 2 , then it is 

a reduction of weak {^)-OT 2 to (”)-OT'|. 

Proof. By Lemma |2I (equations 7 and 6), 

I{W;VlEWB'[A{W),B'{b')]) < I(W; VIEWs-[A(W),R'(5')] | Wg) + H{Wj) 

= H(W/) < |Wj| = L 



3 Lower Bounds 

To simplify our notation, we do not worry about “floors” and “ceilings” in the 
rest of the paper, assuming that {N — 1) is divisible by (n — 1) and that L is 
divisible by i (handling the the general case presents no significant difflculties). 
We will also refer to the sender as Alice and to the receiver as Bob. 

Let a be the number of OT-rounds (invocations of (")-OT 2 ) needed to reduce 
(weak) (^)-0T2 to (”)-OT 2 . Since we concentrate on the worst possible number 
of OT-rounds, we can assume w.l.o.g. that a is a fixed number and that the 
sender and receiver always perform exactly a OT-steps. We start with a sharp 
lower bound on a. 



48 



Yevgeniy Dodis and Silvio Micali 



3.1 Lower Bound on the Number of Invocations of 

Theorem 4. Any information-theoretically secure reduction o/weaI0 O-on 
to (")- 0 T 2 must have 




N-1 
n — 1 



( 4 ) 



Proof. Let us first give the informal intuition behind the proof. We know by 
the (weak) sender privacy condition that Bob can learn at most L (out of total 
NL) bits of information about W. However, if in each of the OT rounds Bob 
was somehow able to obtain all n strings that Alice put as her local inputs to 
this OT round (rather than getting only one of them), Bob should be able to 
learn all {NL bits) of W. Indeed, if Bob could not cannot learn some Wi with 
certainty, Alice will know that Bob’s index is not i (if it was i, honest Bob should 
be able to get Wi with probability 1 by the correctness property) . But this would 
contradict the receiver privacy condition as Alice learns some information about 
Bob’s index. Hence, an£ — n£ = a£{n— 1) bits that Bob did not get from the OT 
rounds, “contain information” about the remaining at least NL — L = L{N — 1) 
bits of W that Bob did not learn. The bound follows. 

Let us now turn this intuition into a formal proof. Let P, P = {Alice, Bob), 
be an information-theoretically secure reduction of (’^)- 0 T 2 to (”)- 0 T 2 that 
uses a invocations to (")-0T2. First, we need the following simple lemma. 

Local Lemma: V input w = wi, . . . , wn, V random tape Ra for Alice, V distinct 
i,i' G [1,N] and V random tape tape R'^ for Bob, there exists a tape Rb for 
Bob such that the sequence of messages, M, received by Alice{w, Ra) from 
Bob{i' , R'^) coincides with the sequence of messages that Alice{w,RA) receives 
from Bob{i, Rb)- 

Proof: Assume that Rb does not exist. Then, executing with Bob{i',R'g), we 
get that Alice{w, Ra) will determine for sure that Bob’s index is not i. Thus, 
when Bob’s index is i', with non-zero probability over Bob’s random string, 
Alice{w, Ra) would obtain information about Bob’s index (that it is not i), 
contradicting the receiver privacy condition. ■ 

To derive our lower bound for a , we define the following two notions: that of 
a special execution of P and that of a pseudo-execution of P. 



Special execution. A special execution of P is an execution of P in which 
Alice’s input is a sequence of N randomly selected strings of length L, Alice’s 
tape consists of randomly and independently selected bits, Bob’s index is 1, and 
Bob’s tape is the all-zero string, 0. In other words, we fix the behavior of Bob 
by fixing his index and the random string. With respect to a special execution 
of P, define the following random variables: 

- W — Alice’s N L-bit strings, W = Wi,... ,Wm; 

— R — Alice’s random tape; 



^ Since we are proving a lower bound, it clearly applies to (strong) (^)-OT2 as well. 
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— Ms — the ordinary messages sent by sender Alice; 

— Mr — the ordinary messages sent by receiver Bob; 

— V — Alice’s potential messages (an an£-hit string, that is, for each of the 
a invocations of (”)-OT 2 , the n f-bit strings that are Alice’s local inputs in 
the invocation). 

— Vr — the actual messages received by Bob in the OT-rounds, (an af-bit 
string, that is, for each of the a invocations of (”)-OT 2 , the Abit string that 
Bob received depending on his local index during that invocation) . 

Pseudo-execution. Let Mg be a sequence of messages, let V he a sequence of 
a sequences of n strings of length I each, let i be an index in [1, A^], and let Rb he 
a bit-sequence. A pseudo-execution of P with inputs Mg, V , i, and Rb, denoted 
by P{Ms,V,i,RB), is the process of running Bob with index i and coin tosses 
Rb, letting the message from the sender be the string of Mg, and by 
letting the sender’s input to the invocation of (")-OT 2 to be the n-tuple 
of Lbit strings in V . In other words, we pretend to be Alice and see what Bob 
will do in this situation on some particular index and random string. 

Our lower bound for a immediately follows from the following two claims. 

Local Claim 1: !{{V,Mg) ; W) = NL. 

Proof: By the definition of mutual information, we have 

I{{V,Mg); W) = H{W)-H{W \{V,Mg)). 

Because W is randomly selected, H{W) = NL. Therefore, to establish our claim 
we must prove that H(IT | (V, Mg)) = 0. We do that by showing that W is 
computable from V and Mg by means of the following algorithm. 

1. Run P{V,Mg, 1,0) and let Mr be the resulting “ordinary messages sent by 
Bob”. 

( Comment: Bob’s view and Bob’s messages sent in this pseudo-execution are 
distributed exactly as in a special execution.) 

2. For i = 1 .. .N compute Wi as follows: 

— Find a string Ri such that, when executing P(V, Mg, i,Ri), the sequence 
of messages sent by Bob equals Mr- 

{Comment: The existence of at least one such Ri follows from the Lo- 
cal Lemma with i' = 1, R'^ = 0 , w = W and Ra = R- Further no- 
tice that, because Mr, W and R totally determine Alice’s behavior, the 
messages and ’’potential” messages that Alice{W,R) sends to Bob{l,Qi) 
and to Bob{i, Ri) are exactly V and Mg in both cases. Hence, any Ri 
that produces Mr in the pseudo-execution P{V, Mg,i, Rf), implies that 
Alice{W, R) would produce messages Mg and “potential” messages V 
when communicating with Bob{i, Ri).) 

— Let Wi be Bob's output in P{V, Mg,i, Ri)- 

{Comment: By the correctness property of our reduction, Bob{i,Ri) 
would correctly output Wi when talking to Alice{W,R). And as we no- 
ticed, Alice{W, R) would produce Mg and V when communicating with 
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Bob{i,Ri), so running pseudo-execution P{V,Ms,i,Ri) indeed makes 
Bob to produce the correct Wi). 



Local Claim 2: 1((y, Mg) ; W) < L + a£{n — 1). 

Proof: By Lemma 0 (equation 3), we have 

I{{V,Ms) ; W) = I{{Vr,Mg) ; t^) + I((F\V;) ; W | (K,Mg)). 

Now, because P implements weak ('^)-OX 2 , and because (Vr, Mg) consists of 
Bob’s view in a (special) execution of P, we have by (P3') that l{{Vr, Mg) ; W) < 
L. Also, by LemmaEI (equations 5 and 6), 

I((P\K) ; w I (Vr,Mg)) < |y\K-| = a£(n-l). 

The claim follows. ■ 

By combining Local Claims 1 and 2, we have NL < L + a£(n — 1), from 
which the desired lower bound for a immediately follows. 

3.2 Lower Bound on the Number of Random Bits 

Let us now prove the lower bound on the number of random bits needed by the 
sender in a natural reduction. 

Theorem 5. In any informationally-theoretic natural reduction o/weak0 (^)- 
OT 2 to (")- 0 T '2 the sender must flip at least random coins. 

Proof. Let P, P = {Alice, Bob), be an information-theoretically secure natural 
reduction from weak ('^)-OT 2 to (")-OT 2 . As before, let W be the random 
input of Alice, R be her random tape. Mg be her ordinary messages sent to 
Bob and V be her “potential” messages. We notice that since the reduction is 
natural, the distribution of V and Mg does not depend on Bob’s index and his 
random string. Let T,-, j = 1 . . . n, be an a-tuple consisting of string number j 
taken from each of the a invocations of (")-OT 2 . We see that V is the disjoint 
union of Vi , • ■ • ,Vn. 

As before, we proceed by expanding the mutual information between W and 
(V, Mg) in two different ways. 

!{{V, Mg); W) = H{W) - H(W | {V, Mg)) = NL-0 = NL (5) 

Here we used the fact that W is determined from V and Mg. Indeed, since V 
and Mg do not depend on Bob’s input or random string, Alice should make sure 
that honest Bob can retrieve any Wi with probability 1 (if his input is i). 

On the other hand, it is a possible behavior for a (malicious) Bob to read 
string number j in all the OT-rounds, i.e. to obtain Vj. By the weak sender 



^ Again, same result applies to (strong) ('^)-OT2 as well. 
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privacy condition, I{{Vj,Ms)] W) < L, and, therefore, for any j S [1, n] we have 
(using Lemma 13 equations 5 and 6) 

i{{v,Msy,w) = i{{Vj,Msy,w) + i{v\Vj-,w \ {Vj,Ms))<l + h{v\Vj \v,) 

Combining this with Equation we get 



H{V\V,\V,)>L{N-1), Vje[l,n] (6) 

Since E is a disjoint union of Vj’s, we get from the above equation (for j = n) and 
LemmaO (equations 1 and 5) that L{N—1) < H(E\y„ | Vn) < H(V,- | Vn). 

Hence, there is an index j G [l,u— 1] s.t. H(V,) > H(V, | Vn) > W.l.o.g. 

assume j = 1, i.e. H(Vi) > . Since for a fixed W, the only randomness of 

V came from R, we have by Equation (jOI) and Lemma El (equation 1) 



\R\ > U{V I W) = H(E, W) - H(1E) 

> ~ + L{N -1)-LN = 

n — 1 



= H(Ei) + U{V\Vi I Vi) - NL 
L{N -n) 
n—1 



Here H(E, W) = H(E) as VE is a function of V, and then we use (0 for j = 1 
and our assumption on H(Vi). This completes the lower bound proof. 



4 Upper Bounds 

Though this paper focuses on proving lower bounds, we need to touch briefly 
upon upper bounds to demonstrate the tightness of Theorems 0 and 0 This is 
done by means of a single natural reduction of weak ('^)-OT 2 to (”)-OT 2 that 
simultaneously achieves both the lower bounds for the number of invocations of 
(")-0T2 and the number of random bits needed by the sender. This protocol is 
a simple generalization of the one given by Brassard, Crepeau and Santha |5] 
for the case L = i, n = 2. For completeness purposes, we also include the proof 
that this protocol works. Though a similar proof could be derived from |Sj, the 
one included here is more direct because our definition of a reduction is slightly 
simpler Note that the same protocol also proves that our lower bounds are 
tight for reduction of (strong) (^)-OT 2 to (”)-OT 2 . 

Theorem 6. There exists a natural information-theoretically secure reduction 
of weak {^)-OT 2 to (")-OT 2 such that 

— it uses J • invocations of (”)-OT'|. 

— the sender uses random bits. 

n—1 

^ You might notice, we embed the security of (")-OT 2 into the dehnition of our reduc- 
tion. Without doing so, one would have to argue about “nested mutual information” . 
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Moreover, for L = £, the reduction actually is a reduction of (strong^ {^)~OT 2 
to 0-OTl 

Proof. We start with L = i, i.e. a, reduction of (strong) ('^)-OT 2 to (")-OT 2 , 
making a = invocations and using random bits for Alice. Let w = 

wi,. . . , wn be Alice’s N strings of length £ each, and let i be Bob’s index. 

Protocol P{w, i): 

1. Alice chooses {a — 1) random Abit strings x\,. . . ,Xa-i using £{a — 1) = 

random bits. Set Xq = 0^ , Xa = wn ■ 

2. Perform a invocations of the (")-OT 2 where transfer j = 0 ... (a — 1) im- 
plements 

(”)-OT^ + i © Xj,Wj(n_i)+2 © Xj, . . . ,W(j + i)(„_i) © Xj,Xj+i © Xj]. 

Let Zj be the value Bob reads from the invocation, described next. 

3. Let jo G {0 ■ • ■ (a — 1)} be the index of the box which has the XOR-ed value 

of Wi (= L^jzrJ’ if * and = (a — 1), otherwise). Bob reads the value 

Zjg = Wi(B Xjg from box number jo and values Zj = Xj+i © Xj for all j Z Jo- 

4. Bob outputs ©j'Lo'^i- 

We now prove that the above protocol indeed implements strong ('^)-OT 2 . 
The Correctness Property (PI) is clear since (wi©a;j(j) © (xjg ©x^q-i) © . . . (a; 2 © 
xi) (B xi = Wi. The Receiver Privacy (P2) is clear as well since the scheme is 
natural and, as we just saw. Bob can recover any Wi. We now show the main 
condition (P3). 

Let W = Wi , . . . , Wn be chosen at random as well as Alice’s random string 
R = Xi,... ,Xa-i. Let V be the random variable containing all (an) values 
of the (")-0T2 boxes. We can assume w.l.o.g. that in each of the a OT boxes. 
Bob indeed read one entire £-bit string that he chose (he can not learn more 
and it “does not hurt” to learn as much as possible). Thus, define Vj. to be the 
a-tuple of Abit strings that Bob read, i.e. everything that Bob learned from the 
protocol. Let to,.. . ,ta-i, where tj G [l,n], be the (random variables denoting 
the) indices of a strings that Bob read. 

Let jo be the smallest number such that tjg Z if if exists. Otherwise, jo = 
a— 1. Thus, Bob learned Ai, Ai©A 2 , . . . ,Xjg- 2 ®Xjg-x and some Wi®Xjg-x. 
Clearly, this enables him to reconstruct Wi (the exceptional case of all tj = n 
falls here as well giving Bob Wn). We let I = i. First of all, / is independent from 
W. Indeed, Bob choose to read index tjg in the invocation of (")-OT 2 only 
based on his random coins and Ai, Ai © A 2 , . . . , Xjg -2 © Aj„_i, which does not 
depend on W. Thus, it suffices to show that I(Vj.; W | Wf) = 0. But we already 
observed that Wj is determined from W- Hence, using Lemma Q (equations 4 
and 3), 



I(Vr ; W) = l{{Vr,Wj) ; W) = l{Wj ; W) +I(W ; W | Wj) 
= £ + l{Vr ; W I Wj) 
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Thus, we only need to show that I(K; W) = £, i.e. to establish the weak property 
(P3'). Intuitively, Bob always learns some Wj, i.e. ^ bits of information. So if 
we show that he does not learn more than £ bits of information, we know that 
the only thing he learned was that one string Wj. We proceed by showing a 
sequence of easy claims. 

Local Claim 1: W is a function of V , i.e. 

H{W I P) = 0 (7) 

Proof: We already saw from correctness that V determines each string Wi. ■ 
Local Claim 2: 



H{V\Vr I Vr) = i{N - 1) (8) 

Proof: We show that all (an) f-bit strings of V are totally independent when 
W and R are randomly chosen. Let us view each such string in V as an {N + 
a — l)-dimensional vector over Z 2 by taking the characteristic vector of the 
equation defining this string. Since all Wi and Xj are chosen randomly, our 
strings are independent iff the corresponding vectors are linearly independent. 
Assume that some linear combination of vectors in V is zero. This combination 
cannot include a vector depending on some Wi as there is only one such vector 
in V. And the remaining vectors Ai,Ai © ■ ■ ■ ,Xa~2 © X^-i are clearly 

linearly independent. And since our disjoint split of V into W and V\Vr does 
not depend on V\Vr, we get that V\Vr is independent of W, so by Lemma 0 
(equation 5), H(y\V; | K) = |k^\K| = - l)a = i{N - 1). ■ 

Local Claim 3: V\Vr is determined from W and Vr, i.e. 

H(R\W I (W,W^)) = 0 (9) 

Proof: The knowledge of W and any string Wi © A„_i in the last (’^-OT^ box 
(which we have from Vr) determines Xa-i- Knowing Xa-i, W and any string 
of the form zQXa-2 from the next to last (”)-OT 2 box (which we have from Vr 
where 2 is either some Wi or Xa-i) enables one to deduce Xa- 2 - Continuing this 
way, we determine Xi from the first (")-OT 2 box which allows us to reconstruct 
the whole V\Vr- ■ 

Combining Local Claims 1,2,3 and using Lemma|2| (equations 1, 2 and 3), 

m = n{w) = H(w) - n{w \ v) = i{v-, w) = i(K; w) + i(c\W; w | k) 

= I(W; W) + U{V\Vr I Vr) - H(K\K, | (W, W)) = I(W; W) + i{N - 1) 

Hence, l{Vr]W) = ^ indeed. This completes the proof of correctness when L = i. 

For £ < L we give a trivial protocol that sacrifices the strong property (P3) 
leaving only (P3'). The protocol simply splits each of the strings of the database 
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into Lji disjoint parts of length I each, and performs the previous protocol 
implementing (^)-OT2 using (”)-OT2- It uses j • invocations of (")-OT2 

and j • random bits as claimed. The correctness is clear except 

Alice’s privacy. We clearly loose the strong property (P3) as Bob can learn up to 
L/i different blocks of length £ from different strings. However, weak property 
(P3') still holds as the L/£ groups of boxes are totally independent, and from 
each of them Bob can learn at most £ bits about W, i.e. a total of at most 
£ ■ j = L bits. 
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Abstract. We consider the problem of basing Oblivious Transfer (OT) 
and Bit Commitment (BC), with information theoretic security, on seem- 
ingly weaker primitives. We introduce a general model for describing such 
primitives, called Weak Generic Transfer (WGT). This model includes 
as important special cases Weak Oblivious Transfer (WOT), where both 
the sender and receiver may learn too much about the other party’s in- 
put, and a new, more realistic model of noisy channels, called unfair 
noisy channels. An unfair noisy channel has a known range of possible 
noise levels; protocols must work for any level within this range against 
adversaries who know the actual noise level. 

We give a precise characterization for when one can base OT on WOT. 
When the deviation of the WOT from the ideal is above a certain thresh- 
old, we show that no information-theoretic reductions from OT (even 
against passive adversaries) and BC exist; when the deviation is below 
this threshold, we give a reduction from OT (and hence BC) that is 
information-theoretically secure against active adversaries. 

For unfair noisy channels we show a similar threshold phenomenon for 
bit commitment. If the upper bound on the noise is above a threshold 
(given as a function of the lower bound) then no information-theoretic 
reduction from OT (even against passive adversaries) or BC exist; when 
it is below this threshold we give a reduction from BC. As a partial 
result, we give a reduction from OT to UNC for smaller noise intervals. 



1 Introduction 

A 1 out of 2 Oblivious transfer (1-2 OT) protocol is one by which a sender with 2 
bits 6 qj bi as input can interact with a receiver with a bit c as input. Ideally, the 
sender should learn nothing new from the protocol, whereas the receiver should 
learn be and nothing more. Several variants of OT exist, but it does not matter 
much which one we consider, as they are almost all equivalent (see e.g. jSj). 

A bit commitment scheme is a pair of protocols Commit and Open executed 
by two parties, a commiter, C, and a receiver, R. First, C and R execute Commit, 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 5fi-l7H 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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where C has a bit b as input; R either accepts that a commitment has taken 
place or rejects. Ideally, the receiver should learn no information about b from 
this. Later, they may execute Open, after which R returns accept 1, accept 0 or 
reject. We require our protocols to be correct, private and binding: 

Correctness: If both parties follow the protocol, R should always accept with 
the same value (5) that C wished to commit to. 

Privacy: Committing to h reveals nothing to the receiver about b. 

Binding: C cannot cause R to accept a commitment, and then be able to 
execute Open so that R accepts a 1 and also be able to execute Open so that 
R accepts a 0. 

We have described the ideal requirements here. However, usually when build- 
ing such protocols, one accepts an error that can be made negligibly small as a 
function of some security parameter k. 

A great deal of work has gone into how to implement oblivious transfer and 
bit commitment based on seemingly weaker primitives. For example, a binary 
symmetric channel (BSC) is one that allows a sender S to send a bit bs to a 
receiver R, such that a bit 5^ will be received, which is not necessarily equal 
to bs- There is a constant probability 0 < i5 < 1/2, called the noise level of the 
channel such that each time the channel is invoked, Pr{bs yf bn) = S. Another, 
essentially equivalent formulation has S and R receiving random bits bs and bji 
that are individually unbiased but correlated so that Pr{bs yf bn) = 5. Another 
equivalent formulation has a random bit b transmitted to both parties through 
independent noisy channels. One motivation for the last two formulations is that 
one might want to implement noisy channels by a very weak broadcast source, 
such as a satellite. 

Crepeau and Kilian (S] showed that a BSC can be used to implement 1-2 
OT with unconditional (information theoretic) security; the efficiency of this 
reduction was later improved by Crepeau 0, who also directly implemented a 
bit commitment scheme (indirectly, bit commitment can be based on 1-2 OT). 

The reductions given in m rely on the fact that i5 is known exactly by each 
party. However, in real life it may be possible for one party to surreptitiously 
alter the noise level of the channel. If the noise is induced by a communications 
channel then it may be possible to alter the mechanism (say by heating it up 
or cooling it down), or change the way it uses the mechanism, to change the 
noise rate. For example, suppose the channel consists of two pieces of optical 
fibre with a repeater station in between, a very common case in practice. If one 
party has access to the data received by the repeater station, then he can send 
and receive a cleaner signal than the other party expects him to. In the case of 
a noisy broadcast channel, an adversary might send a jamming signal or buy a 
more sensitive antenna. Note that while it may be hard to hide the fact that one 
has made a channel noisier, one can always hide the fact that one has made it 
less noisy, simply by deliberately garbling ones own messages and pretending to 
hear a more garbled version than one has actually heard. 

Such “unfair advantages” are not always devastating for applications to cryp- 
tography: Maurer nn] shows that secure key exchange between two parties with 
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access to a random but noisy signal is possible, even in the presence of an enemy 
who can receive the signal much more reliably than the honest players. How- 
ever, this scenario is a game for two parties who trust each other and want to 
be protected “against the rest of the world.” It is natural to ask if we can still 
make do with unfair channels in case of games between two mutually distrusting 
parties. Unfortunately, the protocols of I Util break down in this scenario. 



1.1 Our Results 

In this paper we propose a general model for two-party primitives where a cheat- 
ing player can get more information than an honest one; we call this model Weak 
Generic Transfer (WGT). We then consider a number of important subcases 
and show when they can and cannot be used as a basis for bit commitment and 
oblivious transfer. 

We consider a family of Weak Oblivious Transfers, which are 1-2 OT proto- 
cols with the following faults: with probability (at most) p a cheating sender will 
learn which bit the receiver chose to receive, and with probability q a cheating 
receiver will learn both of the sender’s input bits. Note that the honest partic- 
ipants only receive what they are supposed to receive; this extra information 
cannot be relied on. We call such a protocol a {p, q)-WOT. We give tight results 
for when one can reduce oblivious transfer to (p, g)-WOT. 

In the statement of our results, when we use “reduction” we mean a reduction 
that is information-theoretically secure against unbounded adversaries, where 
deviations from the ideal are negligible in a given security parameter. 

Theorem 1. 1-2 OT and BC can be reduced to {p,q)-WOT iff p+ g < 1. 

We also consider a still noisier model, denoted (p, q, e)-WOT, in which with 
probability at most e an honest receiver receives be instead of be (i.e., the incorrect 
value); a cheating receiver is under no such handicap. In this case, we prove 
positive and negative results that are no longer tight. 

Theorem 2. 1-2 OT can be reduced to {p,q,e)-WOT, for the case of passive 
adversaries, if p + q + 2e < .45. No reductions from 1-2 OT or BC exist if 
p + q + 2e> 1. 

Passive adversaries, also known as “honest but curious” adversaries follow 
the protocol, but then try to use their view of the protocol execution to violate 
the security conditions. 

Both theorems comprise a constructive result and an impossibility result. 
The constructive result of Theorem □ generalizes a theorem of j0| , which solves 
the special cases where either p or g is 0 (or negligible in the security parameter) . 
Brassard/Crepeau |2| and Cachin P) consider a more general model of WOT, 
where the extra information that an adversary learns is only specified by a 
general information measure, but here again the weakness is one-sided: only the 
receiver learns extra information. Prior to this work, few nontrivial impossibility 
results of this type were known (see m for one such result). These impossibility 
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results hold even if security against passive cheating is required and the honest 
players are allowed infinite computing power. 

We note that one motivation for the study of these imperfect protocols is 
that they provide easier to achieve steps for other reductions. For example, our 
reduction from 1-2 OT to unfair noisy channels first reduces {p, q, e)-WOT to 
unfair noisy channels. 

We finally consider unfair noisy channels (UNC). These channels have pa- 
rameters 7 and S, where 7,5 < 1/2. The noise level p of this channel is guaranteed 
to fall into the interval [7,5]. The protocol must work for any p in this range; 
however the value of p is not known to the honest players (but may be set within 
this range by the adversary). 

Theorem 3. For 5 > 27(1 — 7), neither 1-2 OT nor BC may be reduced to 
{'j,S)-UNC. For 5 < 27(1 — 7) BC may be reduced to {'y,S)-UNC. Finally, 1- 
2 OT may be reduced to {j,S)-UNC if — ^(1 — a)) > where 

; a = ;/3 = TTs ; C = 

1.2 Techniques Used 

All of our impossibility results rely on a general simulation technique that allows 
us to leverage the result that it is impossible to implement 1-2 OT (information- 
theoretically) given only a clear channel. 

Our upper bounds for (p, q)-WOT and (p, q, e)-WOT use some reductions first 
used in |^. The reduction from bit commitment to (7, 5)-UNC is based on the 
interactive hashing technique of m- The precise hashing method of m doesn’t 
work for our application; instead we use families of universal hash functions mg. 
Hash functions are ubiquitous in cryptography; two classic results on achieving 
privacy with universal hash functions are m and p. For the specifics of our 
analysis we use bounds on their behaviour implied by the results of El- 

Guide to the Paper In Section|2|we give the general scenario for weak generic 
transfer. In Section 0 we show impossibility results for reducing 1-2 OT and bit 
commitment to (p,9)-WOT, (p, g, e)-WOT and (7,5)-UNC. In SectionElwe give 
reductions from 1-2 OT (and hence bit commitment) to (p, g)-WOT and (p, q, e)- 
WOT. In Section Owe give a reduction from bit commitment to (7,5)-UNC. In 
Section Owe in give a reduction from 1-2 OT to (7,5)-UNC. 

2 The General Scenario: Weak Generic Transfer 

In order to show more clearly the basic properties we study, we start with a 
general scenario that includes as special cases those primitives we later study in 
greater detail. 

First, we describe a specification for standard two party primitives, and then 
show how to augment these specifications to model interesting deviations from 
the ideal behaviour of the protocol. 
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Initially, our scenario includes two players A, B that start with private inputs 
xa,xb, respectively chosen from domains Xa and X b (the precise nature of 
these domains has no impact on the following discussion). A specification for 
a standard two-party primitive is a function output that maps (xa,xb) to a 
probability measure D on Ya x Yb ■ When the primitive is executed with inputs 
(xa,xb), D — output(a;A, is computed, {uajUb) is chosen according to D, 
Ua is sent to A and j/_b is sent to B. This framework is powerful enough to model 
primitives such as OT, 1-2 OT and binary symmetric channels. 

To model the possibility that a primitive might inadvertently leak informa- 
tion, we modify ZJ to be a distribution {Ya x Za) x {Yb x Zb)] {{va, za), {ubiZb)) 
are sampled from D. If A is honest, then A receives only yA, but if A is corrupt, 
it also receives za] B behaves symmetrically. 

We can model passive ( “honest but curious” ) adversaries by simply specifying 
that an adversary Q G {A,B} follows the protocol, ignoring zq, and then later 
learns what it can from the values of zq that is obtained. An active adversary 
may immediately use this extra information in planning its next move. 

We have modeled deviations from privacy; we now model deviations in be- 
haviour. Instead of having a single function output, we have a (possibly infinite) 
set S of functions {output}, which contains a “default” outputp. When the pro- 
tocol is executed, the adversary has the option of choosing output from S] the 
protocol then behaves as before. If there is no adversary, then the default outputp 
is used. We say that S specifies a Weak Generic Transfer (WGT). We will as- 
sume throughout that A and B have access to the WGT as a black box and can 
execute it independently as many times as they wish. 

A WGT may consist of a protocol where for instance a noisy channel is used 
several times, and the protocol instructs one player to send the same bit each 
time. An active cheater may choose not to do so, and so he may behave in a 
way that is not consistent with any legal input value; in this case we say that he 
inputs “?.” We cannot require in general that a WGT prevents such behaviour: 
this would require that the cheater was committed to his input, and it is not 
clear a priori that a WGT implies bit commitment (indeed some WGT’s don’t, 
as we shall see). The best we can ask for in case of active cheating is therefore 
that the following is satisfied: 

— For any active cheating strategy followed by A (B), there exists an input 
value X such that A {B) learns nothing more than what is implied by the 
view of a passively cheating player with input x. 

If this is satisfied, we say that the WGT is secure against active cheating (but 
note that the only security we ask for here is that active cheating does not give 
any advantage over passive cheating). 

It should be clear that ( 7 , (5)-UNG, (p, g)-WOT and (p, q, e)-WOT are special 
cases of WGT. Note that only for the case of ( 7 , (5)-UNG may an adversary 
choose between more than one output distribution function. 
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3 Impossibility Results 

The basic question we can ask is now: given a WGT, can we build OT or BC 
based on it? It is easy to characterize a class of WGT’s where the answer is no. 
We first consider the case where there is only noiseless communication between 
A and B, and consider any interactive protocol between them, of the following 
form: 

— A starts with input xa, B starts with input xb- 

— The players exchange a finite number of messages, and the protocol specifies 
at each stage a probabilistic algorithm for computing the next message, given 
the input, and all message and random coins seen so far. 

— The view of a player {View a! Views) is as usual defined to be the player’s 
input and random coins, along with all messages received from the other 
player. At the end, A and B compute their results, yA and ys from their 
views by some function, i.e., yg = fQ(ViewQ). 

It is clear that any such protocol can be seen as a WGT by letting za = 
View A and zb = Views', this method for producing yA,ys, za, zb from xa,xb 
defines a probability measure D{xa, xb), and we define just one output distribu- 
tion function output which always return D{xa,xb)- Honest players will ignore 
anything except for the result specified {Ya, Yb), but a passively cheating player 
may use its entire view to compute extra information. 

It is well known (and easy to see) that in a two-player scenario with only 
noiseless communication, OT and BG with information theoretic security is not 
possible, even if only passive cheating is assumed, and players are allowed infinite 
computing power. Hence, OT and BG are not reducible to the above WGT. We 
call such a WGT trivial. 

We now show how to “implement” (p, q, e)-WOT in this manner, where 2e = 
I — p — q. Gonsider the following protocol, in which A has input {bo, bi) and B 
has input c. 

Protocol SimNoisyWOT[p, <7]((6o, bi), c) 

1. With probability q, A announces {bo,bi), B computes be and the protocol 
terminates; otherwise, A announces “pass”. 

2. If A passes, then with probability p/{l — q), B sends c to A who replies with 
be', otherwise, B chooses be at random. 

By a straightforward case analysis, B learns both bo and b\ with probability 
q, A learns c with probability p and B receives an incorrect value of be with prob- 
ability {1 — p — q)/2 = e. Aside from easily simulated messages, such as “pass”, 
the view of each side corresponds to the view it could obtain from an actual run 
of a {p, q, e)-WOT primitive. Now, suppose we had an 1-2 OT protocol based on 
a {p, q, e)-WOT primitive. If we replaced each execution of the {p, q, e)-WOT by 
an execution of the SimNoisyWOT[p, g] primitive, then the view of each party, 
taken in isolation, would be unchanged. Since the security of 1-2 OT (at least 
against passive adversaries) is defined solely in terms of properties of Player 
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A’s view and properties of Player B's view, the resulting protocol would remain 
secure against passive adversaries. This would give a “mental 1-2 OT” proto- 
col, information-theoretically secure against passive adversaries, a contradiction. 
Similarly, there is no information-theoretically secure (against both parties) men- 
tal bit commitment protocol, even if both parties are guaranteed to follow the 
Commit protocol; we can in a very similar way derive a contradiction. 

The above argument implies the following lemma. 

Lemma 4. There is no reduction from 1-2 OT or BC to {p,q,e)-WOT when 
p + q + 2 e > 1 , even if only security against passive adversaries is required. 

Remark: The simulation argument was for p+q+ 2 e = 1. lip+q+ 2 e > 1, choose 
e' = {\—p — q )/2 < e; the impossibility argument works for (p, q, e')-WOT. Note 
that a (p, q, e')-WOT primitive also meets the requirements of a (p, q, e)-WOT 
primitive, since its error rate cannot be higher than e, so a protocol that works 
for (p, <7, e)-WOT must work for (p, q, e')-WOT as well. 

We now consider the case of the noisy channel. Consider the following purely 
mental protocol, in which A has input b. 

Protocol SimUNC[7](6) 

1. A and B pick Ba and bs respectively, such that Pr{bA = 

1 - 

2 . A sends b' = b (B bA to B. B computes b* = b' (B 6s, 
received bit, while no output is defined for A. 

Consider a WGT which between honest players A and B is a BSC with noise 
level S, but where if A or cheats passively, then some extra information is 
available and allows to reduce the noise level to 7, seen from the cheater’s point 
of view. Let us call this a (7, (5)-PassiveUNC. It is similar to but not the same 
as a (7, i5)-UNC. It immediately follows from the above protocol that a (7, i5)- 
PassiveUNC is trivial if i5 = 27(1 — 7), and in fact in general if 5 > 27(1 — 7). 
And so there is no reduction of 1-2 OT or BC to (7, i5)-PassiveUNC in this case, 
not even if only passive security is required. 

Now, suppose we have a reduction from 1-2 OT to a (7, (5)-UNC, where 
6 = 27(1 — 7), one secure against active attacks. We compare the following two 
cases: In case 1 the reduction is attacked by an adversary using the following 
active cheating strategy for a player Q e {A, B}: Q sets the noise level for the 
UNC to be 7 always, and then does the following: Whenever Q is supposed 
to send a bit through the channel, Q first flips it with probability 7 and then 
sends it. Similarly, whenever Q receives a bit from the channel, Q flips it with 
probability 7 and acts as if that was the bit actually received. In any other 
cases, Q follows the algorithm specifled by the reduction. Case 2: we execute the 
algorithm of the reduction substituting the (7, <5)-UNC by a (7, i5)-PassiveUNC, 
and the adversary executes a passive attack. 

There is no difference between the cases from the honest player’s point of 
view. Observe that in case 1, the adversary following the strategy for Q knows 
as much about every bit sent and received by his opponent as a passive adversary 



1 ) = Pr{bB = 1 ) = 
denoting b* as the 
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knows in case 2. So since the reduction is secure in case 1, it must be secure in 
case 2, and we have a contradiction. Essentially the same argument works for 
bit commitment. So we have proved: 

Lemma 5. There is no reduction from 1-2 OT or BC to ( 7 , 6)-UNC when S > 
27(1 - 7 ). 

This motivates the following interesting and open question: Which non-trivial 
cryptographic primitives (if any) can be implemented based on a WGT assuming 
only that it is non trivial? 



4 Reducing 1—2 OT to (p, qr)-WOT and (p, q, e)-WOT 

We now look at the possibility of building a 1-2 OT or commitments from a 
WOT. A reduction that accomplishes such a task can be thought of as a program 
that gets the noise levels of a UNO or the error probabilities of a WOT and a 
security parameter value k as input and then instructs at each point in time 
one of the players to either send a message in the clear to the other player, or 
send a bit through the noisy channel. Any information known to the player at 
the time can be used, together with any number of random bits, to compute the 
next message to send. We make no assumption on the amount of computation 
required. 



4.1 Preliminaries 

For a reduction of 1-2 OT to UNO, let /c(/c, <5, 7 ), <5, 7 ), i5, 7 ) be 
the expected information that the sender obtains about c, the receiver obtains 
about be, and the receiver obtains about 6 i_c respectively. We will say that the 
reduction works for values 5, 7 , if limfe^oo Ic{k, <5, 7 ) = limfe^oo {k, i5, 7 ) = 0 
and limfe^oo = 1 For a reduction of 1-2 OT to (p, g)-WOT, we use 

the same definitions, but with (5, 7 ) replaced by (p, g). 

For a reduction of bit commitment to UNO, let 5, 7 ) be the expected in- 
formation the receiver obtains about b in the Commit protocol, and let p(fc, S, 7 ) 
be the probability that the binding condition fails. We will say that the reduction 
works for values S and 7 , if lim^^oo h{k, 1 ^, 7 ) = limk^oo p{k, (5, 7 ) = 0 

We refer to for a more sophisticated definition of 1-2 OT; our protocols 
meet this definition as well. 

The set of pairs for which a reduction works will be called the range of the 
reduction. We will say that a reduction works efficiently in a point in its range, if 
the required convergence in k is exponential, and that the number of calls to the 
WOT or UNO is polynomial in k. This is usually required for a reduction to be 
useful in practice, but note that our impossibility results hold even if efficiency 
is not required. 
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4.2 Some Useful Reductions 

We use the following two known reductions for basing 1-2 OT on (p, ( 7 )-WOT. 
The first is designed to reduce the chance the sender (A) learns too much, while 
the second is targeted against the chance of the receiver {B). Both reductions 
are assumed to be given as a black-box a protocol W implementing (p, g)-WOT 
and work with security parameter k. S-Reduce is taken from while R-Reduce 
is more or less folklore. 

Protocol S-Reduce(fc, W) 

1. Let {bo, bi) resp. c be the input of the sender, resp. the receiver. 

2. W is executed k times, with inputs {boi,bu),i = l..k from the sender and 
Ci,i = l..k from the receiver. Here, the boi’s are uniformly chosen, such that 
bo = (Bi^iboi, bii = boi © 6o © and the c^’s are uniformly chosen such that 
C = 

3. The receiver computes his output bit as the xor of all bits received in the k 
executions of W. 



Protocol R-Reduce(fc, W) 

1. Let {bo, bi) resp. c be the input of the sender, resp. the receiver. 

2. W is executed k times, with inputs {boi,bu),i = l..k from the sender and 
Ci, i = l..k from the receiver. Here, Ci = c, boi © ... © bok = bo and 6n © ... © 
bik = bi 

3. The receiver computes the XOR of all bits received. 



Lemma 6. When given k and a {p, q)-WOT W as input, S-Reduce(fc, W) im- 
plements a (p^,l — (1 — q)^)-WOT, and R-Reduce(/c, W) implements a (1 — 
(1 — p)^,q^)-WOT protocol. Both protocol produce a WOT secure against active 
cheating if the given WOT has this property. 



Proof (sketch). First, it follows by inspection that the protocols allow the play- 
ers to compute the correct output. As for the error probabilities, note that for 
S-Reduce a bad sender will learn c iff he learns all cfs, which happens with 
probability p^ . On the other hand, a bad receiver can learn both bo and bi if he 
learns just one pair {boi, bu), and this happens with probability 1 — (1 — g)^. The 
case of R-Reduce is similar, but with the chances of sender and receiver reversed. 
The last claim follows easily: In S-Reduce, security of W means that none of the 
parties can gain anything from inputing ? to W. And if indeed no ? is input to 
any W instance, R always behaves consistently with some input c, namely the 
value c = ©fUiCi. S can behave inconsistently by choosing bad values for his 
bits, but this will not give him more information on c. The case of R-Reduce is 
similar. □ 
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4.3 A Reduction to (p, q)-WOT 

Lemma 0 shows that the lower bound given by Lemma 0 is tight when e = 0. 
Lemmata 0 and 0 imply Theorem 0 

Lemma 7. There exists a reduction for building 1-2 OT from a {p, q)-WOT, 
the range of which is {p, q\ p + q < 1}. It works efficiently for all points in its 
range. 

Proof. Suppose we start with a (p, 9 )-WOT W, and apply first R-Reduce(t, W) 
and then S-Reduce(t', W). We call this combination RS-Reduce. It follows easily 
that RS-Reduce produces a ((1 — (1 — p)*)* , 1 — (1 — q*)* )-WOT. Of course, we 
can also apply S-Reduce first, and obtain a (1 — (1 — p*)* , (1 — (1 — g)*)* )-WOT. 
We call this combination SR- Reduce. 

The strategy for our reduction is to apply repeatedly SR- Reduce or RS- 
Reduce, in order to reduce as quickly as possible the sum of the error proba- 
bilities. When given errors (p, g), we apply RS-Reduce if p < g, and SR-Reduce 
otherwise. This will be called one step in the reduction. 

To analyse the effect of one step, define x = q,y = 1 — p when p < q, and 
X = p,y = 1 — q otherwise. It follows that the difference between the sum of the 
errors before and after the transformation is 

f{t,t',x,y) = (l-y*)*' + l- (1 -(1-y + a;) = (1 +y- ((1 +x) 

The constraints we have on p, g imply that 1/2 < p < 1 and 1 — p < a; < y. 
And we see that the progress we make is the difference between the values of the 
function gt^tfz) = (1 — -|- z evaluated at points x and p. The trick is now to 

choose, given x and p, values of t and t' such that the above difference becomes 
numerically “large” . Note that since we are subtracting the sum before the step 
from the sum after, the difference is hopefully negative. 

In any situation where the error probability sum before a step is greater than 
0.2, one of the following three cases apply: 

p < 0.8: This is a case where the smallest of p, g is at least 0.2, so p, g are both 
“large.” In this case, we choose t = t' = 2. By direct inspection of g 2 , 2 (x), one 
finds that for any cc, p obeying the restrictions, (p 2 , 2 (y) — g 2 , 2 (x))/{y — x) < 
—0.1. Since p — a; = l — (p-|-g), this shows that taking one step in this case 
multiplies the distance from p -|- g to 1 by a factor of at least 1.1. 
p > 0.8, X > .4: In this case, p -I- g is also “large,” but this time because one 
probability is small and the other is large. In this case, we choose t = 2 and 
t' = 1. Again, by direct inspection, one can verify that (g 2 ,i(y)—g 2 ,i(x))/(y— 
x) < —0.2. By the same argument as before, we see that in this case, the 
distance from p -|- g to 1 is multiplied by at least 1.2 by taking one step, 
p > 0.8, X < .4: In this case, both p and g and hence p -I- g are “small.” We 
choose t = t' = 2. Observe that for the large p, g 2 . 2 ,{y) approaches y as y 
approaches 1, while for the small x, g 2 , 2 {x) approaches 1 + x as x approaches 
0. As a result, {g 2 , 2 {y) — g 2 , 2 {x)) / {1 — y + x) ~ —1 for small x and large p, and 
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is in fact less than —0.2 for the range specified. However, 1 — y + x = p + q^ 
so we see that in this case, taking one step reduces p + g to at most 0.8 of 
its previous value. 

As soon as we have an error probability sum which is at most 0.2, we start doing 
steps where we always have t = 4. In this case one finds that if the error 
sum was s before a step it is at most afterwards. 

The overall strategy is now as follows: we first do whatever number of steps is 
necessary to bring the error probability sum below 0.2. We then do log 2 (A:) steps, 
where k is the security parameter. It follows from the above that the resulting 
error probability sum is exponentially small in fc, at most 0.2^. The number of 
calls we make to the WOT is exponential in the number of steps, but since we 
only take a logarithmic number of steps, the total number of calls is polynomial 
in k. □ 

The above argument only considers p,g as being constants. However, even 
if we have a case where p + g is a function of some parameter n and converges 
polynomially to 1 in n, e.g. p(n) + g(n) = 1 — 1/n, the reduction in the proof 
still works in time polynomial in n. 

4.4 A Reduction to (p, q, e)-WOT 

Lemma0shows that no reduction of 1-2-OT to (p, g, e)-WOT exists if p+g+2e > 
1 and this, even in the case of passive adversaries. We show that if p + g + 2e < 

0.45, such a reduction does exist. We adapt SR- Reduce to deal with transmission 
errors. We then characterize triplets (p, g, e) for which 1-2 OT is reducible to 
(p, g, e)-WOT. The reduction we consider assumes only passive adversaries. 

The following error detection phase accepts parameter I > 0 and, given a 
(p, g, e)-WOT W, produces a (p', g', e')-WOT W' such that e' < e. As usual bo 

and bi denote the two bits to be transmitted and c is the selection bit. 

Protocol ErRed(^,W’) 

1. A chooses go,gi &r {0, 1} and B chooses s Gr {0, 1}, 

2. A sends I times the bits (go, gi) through the (p, g, e)-WOT W and B selects 
the bit qs I times, 

3. If H did not receive the same bits g^ I times then A and B go to Step 1. 

4. B announces p = 0 if s = c and p = 1 otherwise. 

5. A announces rp and r\ such that by = ro® go and b\-y = ri 0 gi, allowing 

B to compute be = qs ® Ts- 

We are now ready to describe a reduction of 1-2 OT to (p, g, e)-WOT which 
basically inserts calls to ErRed into SR-Reduce (and RS-Reduce). Given positive 
integers lo,k,li,k' J 2 and a (p, g,e)-WOT Wo, protocol SRg produces a new 
(p',g',e')-WOT W: 



Protocol SRe(/o, k, h,k', h,Wo) 

• yy V- ErRed(/2, R-Reduce(fc', ErRed(/i, S-Reduce(/c, ErRed(Zo, Wo)))))- 
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RSs{lo,k,li,k',l2) is defined the same way except the calls to S-Reduce and R- 
Reduce are swapped. Similarly to Lemma El one can characterize exactly the 
transformation taking place in a call to SRe{lo,k,l,k',l') for any parameters 
Iq, k, Z, k', and V . In particular, SRe(Zoj k, I, k' , V) transforms a (p, g, e)-WOT into 
a (p',g',e^-WOT where p' = 1 - (1 - (1 - (1 g' = 1 - (1 - (1 - (1 - 
^yo-k-h-^k y 2 ^ ^ jg q£ similar but slightly more complicated form. A brute 

force analysis, using linear programming, shows that SRg can be tuned to work 
at 45% the optimum (the sketch of the proof can be found in im i. 

Lemma 8. 1-2 OT can be implemented given any {p,q,e)-WOT that satisfies 
p + q + 2e < 0.45. 

The above bound is not tight especially whenever one of p + g and e is small. In 
particular, SR^ works for all (p, g, 0) such that p + g < 1 and for all (0, 0, e) such 
that e < i. A natural question arises: Is it possible to use a different method 
for choosing parameters Iq, fc, Zi, k' and I2 such that reduction SRg works also for 
p + g + 2e ^ 0.45? The following lemma suggests that if one wants to get closer 
to the bound p + g + 2e = l, one has to find a different reduction. 

Lemma 9. There exists triplets (p, g, e) that satisfy p + g + 2e < 0.70 such that 
SRe and RSg does not work for any value of parameters lo,k,li,k' and 12- 

Proof (sketch). Let p = g = 0.2 and e = 0.15 be the parameters of a WOT 
that satisfies p + g + 2e = 0.7. It can be shown that whatever the parameters 
Zq, fc, Zi, k' and I2 are, the reduction always generates an intermediary simulatable 
triplet. □ 

Lemma 0 suggests that introducing noise in a WOT might lead to a primitive 
that is strictly weaker than 1-2 OT even for non-simulatable but noisy WOT. 
However, the gap between the bounds could be narrowed down by finding a 
better simulation and/or a new reduction. It is unknown to us if such a gap 
necessarily exists. 

5 Reducing Bit Commitment to (7, <5)-UNC 

5.1 Preliminaries 

Our commitment protocol makes extensive use of Z-universal hash functions, first 
introduced in m-, we use the following slightly stronger notion that has become 
more or less standard. Given a domain D and a range R, a t-universal family of 
hash functions is a distribution on a set of functions {hi} such that for any 
distinct ATi, . . . ,Xt€D,iihis chosen according to 77, the induced distribution 
on (Zi(Ali),... ,h{Xt)) is uniform over i?L For our application, D = {0,1}^, 
R = {0, 1}*, for some k,l. For any k and Z, there exists a t-universal family of 
hash functions whose functions may be represented using poly{k,t) bits, and for 
which the operations of sampling h from the distribution and computing h{X) 
may be performed in poly{k, t) time. Hence, we speak of one party “sending” a 
function, abstracting all representational details. 
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Given two bit-sequences X and X' , let d{X,X') denote their Hamming dis- 
tance, i.e., the number of places where they differ. We use distance as shorthand 
for Hamming distance. 

There is a huge body of literature on universal hash functions and their use 
in cryptography. Despite superficial differences, our method is motivated by that 

of [T^ . 

5.2 What We Need To Achieve 

Note that it suffices to produce a protocol for committing to re = r for a random 
bit r; as a standard trick one can commit to y = 6 by revealing b' = 5 0 r 
and defining y = x (B b' . For the rest of the discussion, we analyze the case of 
committing to random values. We also allow the receiver to reject even though 
the commiter followed the protocol, but only with probability negligible in the 
security parameter, k. 

5.3 The Protocol 

On a high level, our (weak) commitment protocol consists of the following steps. 
First, C sends string X over the noisy channel to C. R queries C about the value 
of hi{X) for 1 = 1 , 2 . Finally, C chooses a hash function h and designates h{X) 
as the random committed value. To reveal a bit, C sends X to R. R accepts if 
X is close to the received value and is consistent with the queried hash values. 

Protocol Commit(7, 5 , k) 

Define do by 7(1 — do)0(l — 7)^0 = S and let di = (do + j)/ 2 , d = (c?i07)/2 
and I = Llg(Si=i^ (i))J- ~ and define I* as i, where 

we replace dk by d*k. Note that, by a standard argument, it follows that 
£ — £*> ck for some constant c as k grows sufficiently large. 

Let 7 i, Til and TL2 be canonical 64 fc-universal families of hash functions from 
{0, 1}'' to {0, 1}, {0, lY* and {0, lY~^\ respectively. 

1 . C uniformly chooses A = a;i, . . . , G { 0 , 1 }^ and sends A to T? over the 
(7, 5 ) channel. Denote by A' = x'l, . . . , x). the string received by R. 

2 . For T = 1 to 2 

R chooses hi ^ Hi and sends hi to C. 

C sends yi = hi{X) to R. 

3 . C chooses h ^ H and sends htoC. The committed bit is defined as h{X). 
Protocol Open (7, 6 , k) 

Let A, A', yi, 1/2, h, hi, /i2, do, di and d be as in the execution of Commit for 
the bit to be opened, and let S' = 7(1 — di) 0 (1 — 7)^1. 

1 . C sends A to R. 

2 . R rejects if yi Y hi{X) for any i or if d{X,X') > S'k locations. Otherwise, 
R accepts the committed value of h{X). 
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5.4 Analysis of the Protocols 

We first observe that the protocol behaves correctly if both parties are honest. 
For the rest of this discussion, “negligible” means smaller than 1/A:'^, for any c, as 
k grows sufficiently large and “almost always” means with probability negligibly 
close to 1. Proofs of some of the Lemmata below are sketched in the appendix. 

Lemma 10. IfC and R both correctly execute Commit and Open, then R accepts 
the value r = h{X) almost always (where h and X are as generated by C during 

Commit. 

We next show that the commiter has only a negligible probability of breaking 
the commitment scheme. 

Lemma 11. Regardless ofC’s strategy for generating X, (/ii, j/i), (h. 2 , 2 / 2 ) during 
Commit, there will almost certainly be at most one string, denoted X* , that C 
can send R with a nonnegligible probability of acceptance. 

Hence, C is committed to h{X*). Note that C can ensure that h{X*) is not 
random, but this does not constitute a break of the commitment scheme. In 
the reduction from a standard commitment protocol to a random-bit commit- 
ment protocol, C and only C benefits from the randomness of the committed bit. 

Before proving the lemma, we first define a set of viable X* that C can 
reasonably send during the Open protocol. 

Definition 12. Given X, {hi,yi), (/ 12 , 2 / 2 )- We say that X* is viable if it differs 
from X in at most d*k plaees and yi = hi{X*) for i = 1,2. 



Proposition 13. If X* is not viable, then C will accept X* with negligible prob- 
ability, where the probability is taken over the behavior of the noisy channel. 

Proof (of Lemma [771) . (Sketch) We can view the process of generating (hi,yi) 
as progessively constraining and shrinking the viable set S. Initially, the viable 
set S consists of those strings whose distance from X is at most d*k . 

We use the following result by Rompel m 

Lemma 14. on; Let Xi,...,Xn be a set of t-wise independent random vari- 
ables taking 0/1 values. Let X = //^Xi, and p, = E(X). Then for any A > 0, 
we have that Pr{\X — p\ > A) < 

Fix any string y G {0, 1}^ , and define Xi as Xi = 1 iff the Fth viable string 
is mapped to y hy hi; Xi = 0 otherwise. Then clearly, p = 1. We apply the 
above lemma with t = 4k and A = t^, and we say that y is bad if its preimage 
under h\ has more than t^ viable strings in it. The lemma can be used because 
the Ai’s by construction are 64fc > t-wise independent. It immediately implies 
that the probability that y is bad is at most 2“*/^. The probability that ANY y 
is bad is at most 2^ < 2^ times larger, so since we have chosen t = 4k, even this 



70 



Ivan Damgard, Joe Kilian, and Louis Salvail 



last probability becomes exponentially small (in k). So except with exponentially 
small probability, at most = 64k viable strings remain. The final constraint 
added is the value of h. 2 {X). Since /i2 is 64fc-universal and I — I* > ck, we can 
view this constraints as assigning at least ck random bits to each string X* G S. 
In order for two strings X*,X 2 G S to both remain viable, they must both 
receive the same bit sequence; the probability of this occurring for any such pair 
is negligible. 

Finally, we show that after Commit, R can predict r with only a small ad- 
vantage. 

Lemma 15. At the conclusion o/ Commit, the expected amount of information 
R holds about h{X) is exponentially small in k. 



6 Reducing 1—2 OT to (7, 5)-UNC 



We first reduce 1-2 OT to (7, (5)-PassiveUNC by a reduction secure against 
passive adversaries. The reduction is a straightforward adaptation of a reduction 
of Crepeau and Kilian P| that builds 1-2 OT from a BSC. The same procedure 
is then shown to reduce 1-2 OT to (7,5)-UNC. Bit commitments can finally be 
used to tolerate active adversary for the same price. 

In the appendix, reduction WOTfromPassiveUNC is described. Given a (^, 7)- 
PassiveUNC, it produces a (p(^, 7),g(i5, 7),e(i5))-WOT W that can be used in 
reductions SR^ and RS^. Using lemma |H1 1-2 OT can be obtained from any 
(i5, 7)-PassiveUNC that satisfies p(i5, 7) -I- g((5, 7) -I- 2e(i5) < 0.45. Unlike the bit 
commitment case, we were not able to show that as soon as the unfairness of the 
PassiveUNC is not simulatable then 1-2 OT is possible. Nevertheless, the next 
lemma gives a partial answer leaving a “grey” area of values for 7, S where neither 
the impossibility result, nor our reduction applies. Due to space limitations, we 
refer the reader to El for the proof of next lemma. 



Lemma 16. There exists a reduction secure against passive cheating of 1-2 OT 
to {-y, S)-PassiveUNC such that — C(1 — a)) > where e{6) = 



<5^ + (l-(5)^ ' 



_ 1-^-7 a _ 1 ^ j ^ _ 1 ^ 

— 1-27 > 1 ^ ~ l-(5 ’ ^ “ S ' 



To give a numerical example, when 6 = .075, one can reduce 1-2 OT to (7, i5)- 
PassiveUNC for 7 « .06; no such reduction is possible for 7 < .039. 

The reduction is also secure when a (7, J)-UNC is used instead of a (7, i5)- 
PassiveUNC. The following straightforward lemma establishes this fact. 



Lemma 17. Any secure reduction to {y, S)-PassiveUNC against passive adver- 
saries is also a secure reduction to (7, S)-UNC given it produces the correct output 
for any noise level in the interval [7 . . . i5]. 



Intuitively, the adversary maximizes the information he gets by reducing the 
noise level of a (<5, 7)-UNC to 7. In this case, the information obtained is the same 
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as if a ( 7 , (5)-PassiveUNC was used. If in addition, the reduction to PassiveUNC 
produces the right output for any noise level in [ 7 . . . <5] then a ( 7 , i5)-UNC can 
be used instead. It is easy to verify that WOTfromPassiveUNC is a reduction 
working for any noise level in the interval [7 ... 5] . 

Any reduction of 1-2 OT to UNC that is secure against passive cheating can 
handle the case of active cheating as well by proceeding along the same lines 
as 13 . To briefly sketch the construction, we first note that once A and B get 
a bit commitment scheme, they can prove in ZK that they follow the protocol 
honestly m- They can also use the bit commitment scheme in a cut and choose 
manner for showing that the bits sent and received through the channel are used 
according the protocol description. The result being that from an UNC and a 
bit commitment scheme, a committed UNC is built. From this point, general ZK 
techniques are used to make sure that no active cheating occurs. Using lemma 
Eland the above argument leads to the following corollary: 

Corollary 18. Lemma^^ applies against active adversaries for both the ( 7 , <5)- 
PassiveUNC and the {'j,S)-UNC. 
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A WOT from PassiveUNC and Proofs from Section 

In this appendix, we first give the reduction of WOT to PassiveUNC and second, 
we provide the proofs from section 0 Protocol WOTfromPassiveUNC(6o, 6i)(c) 

1. A picks x,y Gr {0, 1}, 

2. A sends {xx,yy) through the PassiveUNC( 7 , J) and B receives {xx',yy'), 

3. If B receives {x (Bx',y(B y') ^ {(0, 1), (I, 0)} then they go to step I. 

4. B announces w such that 

— w = 0 if ((a; 0 = 0) A (c = 0)) V ((y 0 y' = 0) A (c = I)) 

— w = I if ((a; 0 s' = 0) A (c = 1)) V ({y 0 y' = 0) A (c = 0)) 

5. A announces 

— (a, 5) = (s 0 bo, y 0 6i) if w = 0, 

— (a, 5) = (y 0 ho, s 0 6i) if w = I, 

6. B computes 

— 6o = a0sifc=O and w = 0, 

— 6o = a0yifc = O and w = 1, 

— 6i = 60 yifc=l and u> = 0, 

— 6i = 60 sifc=l and w = I. 

Proof Sketch of Lemma 11 01 By inspection, if R accepts it will always 
recover r = h{X) (assuming C is good), and R will only reject if X and X' 
differ in at least 5'k places. Now, since 5 < 27(1 — 7 ), do < di < 7 and hence 
5' > S. However, for each i, x\ ^ xi with independent probability at most d, so 
by a standard Chernoff bound, the probability that s' Xi in 8'k is negligible in 
k. Note that by the universality of TC, r is distributed uniformly over {0, 1}. □ 

Proof Sketch of Proposition II 31 Clearly, R will reject if y^ hi{X*). 
Suppose that X* differs from X in d*k places and the channel flips each bit 
with probability at least 7 . Then X* and X' will differ in at least S*k expected 
places, where d* = 7(1 — d*) 0 (1 — 7 )d* > 6' . By a standard Chernoff bound, 
they will almost always differ in more than S'k places, causing R to reject. □ 
Proof Sketch of Lemma II 51 First, we conceptually give R the value of 
d{X' , X); this can only help R. Let set S denote those Xs of the given distance; 
after receiving X' , each X G S' is equally likely. We first observe that for some 
constant ci > 0, H{X',X) — dn > cin almost always; it follows that for some 
constant C 2 > 0, |S|/2^ > 2''=^. 



Basing Oblivious Transfer and Bit Commitment on Weakened Assumptions 



73 



Now, after receiving X' , R can obtain hi{X),h 2 {X). Note that we cannot 
assume these functions are chosen randomly. Still, conceptually, we can view 
R as flipping its random coins (if it uses any) and then constructing a (quite 
shallow) decision tree. Each interior vertex v is labelled with a hash function 
h to be sent to C; the edges from v to its children correspond to the possible 
answers C might give (2^ possibilities in the first level, in the second). 

For every vertex v in the tree we define the set S'„ as those X G S that are 
consistent with the sequence of hash functions and answers given on the path 
from the root vertex to v. We can view Step 2 of Commit as a traversal from the 
root of the tree to a leaf 1. 

By a simple probability argument, the probability that a given leaf I is 
reached is [S'; |/|S'|, and the conditional distribution on X is uniform over Si. Since 
the tree has only 2^ leaves, the probability of reaching a leaf I with |5'/| < 
is at most we can safely ignore this event. On the other hand, in every 

case where |S'/| > 2'^^^/^, it follows immediately from the privacy amplification 
result in P that R’s expected information about h{X) is exponentially small. 

□ 
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Abstract. We consider the problem of sending messages “into the fu- 
ture.” Previous constructions for this task were either based on heuristic 
assumptions or did not provide anonymity to the sender of the message. 
In the public-key setting, we present an efficient and secure timed-release 
encryption scheme using a “time server” which inputs the current time 
into the system. The server has to only interact with the receiver and 
never learns the sender’s identity. The scheme’s computational and com- 
municational cost per request are only logarithmic in the time parameter. 
The construction of our scheme is based on a novel cryptographic prim- 
itive: a variant of oblivious transfer which we call conditional oblivious 
transfer. We define this primitive (which may be of independent interest) 
and show an efficient construction for an instance of this new primitive 
based on the quadratic residuosity assumption. 



1 Introduction 

Time is a critical aspect of many applications in distributed computer systems 
and networks. Among other things, time is used to co-ordinate remote actions, 
to guarantee and monitor services, and to create linear order in some distributed 
transactions systems. Roughly speaking, applications of time in distributed sys- 
tems fall in two categories: those that use relative time between events (e.g. one 
hour from the last reboot) and those that use absolute time (e.g. 0900 hours, May 
2, 1999 GMT). We can concentrate on the second category as relative timing 
can be implemented using absolute time but not vice-versa. While the existence 
of a common view of current time is essential in systems that use absolute time, 
it is generally hard to implement in a distributed system - either the local clock 
is assumed to be an acceptable approximation of the universal time or there is 
a central time “server” that is available whenever needed and local clocks are 
periodically synchronized m- In some cases, the trustworthiness of the time 
server may be an issue as adversarial programs may try to change the value of 
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the local clock or spoof a network clock to their advantage and this may have an 
unacceptable negative effect on the system. Such problems can be solved using 
authentication mechanisms as long as the applications only need the current 
time (or to be more accurate, the “latest time”). There are many applications 
that depend on a common assumption of an absolute time that is in the future, 
where, say, the opening of a document before a specified time is unacceptable. 
An example is the Internet programming contest where teams located all over 
the world need to be given access to the challenge problems at a certain time. 
Another example may be in trading stocks: suppose one wants to send an e-mail 
message from their laptop computer to a broker to sell a stock at a particular 
time in the future. The broker should not be able to see the message before that 
time and gain an unfair advantage, and yet one cannot rely on a service such 
as e-mail to work correctly and expeditiously if the message was sent exactly on 
release-time. The essence of the problem is this: the message has to be sent early 
but the broker should not be able to read the message before the release-time. 
Also, it would be preferable from a security perspective if the time server never 
learns the identity of the sender of the message. 

The act of encrypting a document so that it cannot be read before a release- 
time has been called “sending information in to the future” or timed-release 
cryptography by May m- Rivest, Shamir and Wagner give a number of 
applications for timed-release cryptography: electronic actions, sealed bids and 
chess moves, release of documents (like memoirs) over time, payment schedules, 
press releases, etc. Bellare and Goldwasser propose that timed release may 
also be used in key escrow: they suggest that the delayed release of escrowed keys 
may be a suitable deterrent in some contexts to the possible abuse of escrow. 

Prior techniques: There are two main approaches suggested in the literature: 
the first one is based on so-called “time-lock puzzles, ” and the second one is based 
on trusted “time-servers. ” Time-lock puzzles were first suggested by Merkle m 
and extended by Rivest et al. E3 The idea is that the time to recover a secret 
is given by the minimum computational effort needed by any machine, serial or 
parallel, to perform some computation which enables one to recover the secret. 
This approach has the interesting feature of not requiring any third party or 
trust assumption. On the other hand, it escapes a formal proof that a certain 
lock is valid for a certain time. The time-lock puzzle presented by Bellare and 
Goldwasser in | 2 | is based on the heuristic assumption that exhaustive search 
on the key space is the fastest method to recover the key of, say, 40-bit DES. In 
m, Rivest et al. point out that this only works on average: for instance, for a 
particular key, exhaustive search may find the key well before the assigned time; 
they then propose a time-lock puzzle based on the hardness of factoring which 
does not have this problem, although it still uses a different heuristic assumption 
about the minimum time needed to perform some number-theoretic calculations. 
A major disadvantage of time-lock puzzles from our point of view is that they 
can only solve the relative time problem. 

A “time-server” is a trusted third party that is expected to allow release of the 
message at the appointed time only. May m suggests that the third party be 
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a trusted escrow agent that stores the message and releases it at release-time. 
This does not scale well since the agent has to store all escrowed messages until 
their release-times. Moreover, no anonymity is guaranteed: the server knows the 
message, the release-time, and the identity of the two parties. In Rivest et al. m 
it was suggested that the server simply use the iterates of a one-way function (or 
a public-key sequence) and publish the next iterate value after one unit of time. 
A sender wishing to release a document at time t gets the server to encrypt 
the document (or a key to an encrypted version) with a secret key that the 
server will only publish at time t. This scheme has the advantage that the server 
does not have to remember anything except the seed to the sequence of one-way 
function iterates. This scheme requires the server to generate and publish a large 
number of keys, so that the overall computation and storage costs are linear in 
the time parameter. Furthermore, the receivers are anonymous but the sender 
is not anonymous in this scheme and the time server knows the release-time 
requested. 

The Model. The general discussion above shows that it is necessary and ad- 
vantageous to have a system in which the current absolute time is available with 
the facility of posting messages that can be read at a future time. For complete- 
ness, we first lay out some basic considerations. To begin with, time needs to be 
defined. In computers, as in real life, time is simply defined to be the output of a 
certain clock (such as the Denver Atomic Clock). We can assume the existence of 
such an entity which we will call the Time Server (or simply, server) that defines 
the time. Naturally, the server outputs (periodically or upon request) messages 
that indicate the current time (down to whatever granularity is needed or pos- 
sible). The server is endowed with a universally known public key. However, the 
server is not required to remember any other keys, such as keys of senders and 
receivers (in this respect, our model is different from that of Rivest et al. 123 ). 

What we are concerned with here is timed release of electronic documents: 
it is straightforward to see that using encryption, we can reduce this problem 
to timed release of the decryption key (rather than the document itself which 
is assumed to be delivered ahead in encrypted form). Now, if the sender of a 
document is available at the time of its release, this problem is trivial since 
the sender can herself provide the decryption key at release-time. Thus, we can 
assume that the sender of the document is only present prior to, but not at, the 
release time. Furthermore, as May P2! suggested, if we have a trusted escrow 
agent that supplies the decryption key at the appointed time, again the problem 
is solved (but the solution does not scale well for the server). Next, the problem 
is also trivial if the receiver can be trusted by the sender to not decrypt the 
document before the release-time. Therefore, we assume that the the sender 
does not trust the receiver to not try to decrypt the document before the release- 
time. Finally, it may be that the sender is remote and hence may not be able to 
communicate directly with the server (this is not possible in [27j 1 . Hence, we will 
also assume that the sender and server cannot interact at any time. However, 
the receiver can interact with the server and we will be interested in keeping this 
interaction to the minimum as well. 
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Putting all this together, the problem of timed-release encryption that we 
address in this paper can be restated as follows: how can a sender, without 
talking to the server, create a document with a release-time (defined using the 
notion of time as marked by the server) such that a receiver can decrypt this 
document only after the release-time has passed by interacting with the server 
and such that the server does not learn the identity of the sender? 

Our results: We present a formal definition for the cryptographic task of a 
timed-release encryption scheme, and a solution to this task. Also, we introduce a 
new variant of the oblivious transfer protocol, which we call conditional oblivious 
transfer. We present a formal definition for this variant, and a construction for 
an instance of it. The properties of this construction will be crucial for the design 
of our timed-release encryption scheme. 



Conditional Oblivious Transfer. The Oblivious Transfer protocol was introduced 
by Rabin I2E1. Informally, it can be described as follows: it is a game between 
two polynomial time parties Alice and Bob; Alice wants to send a message to 
Bob in such a way that with probability 1/2 Bob will receive the same message 
Alice wanted to send, and with probability 1 /2 Bob will receive nothing. More- 
over, Alice does not know which of the two events really happened. There are 
other equivalent formulations of Oblivious Transfer (see, e.g., IHECSEEI] ) • This 
primitive has found numerous applications (see, e.g., |1 1)11 fif2HI 1 7^ 1. 

In this paper, we consider a variant of Oblivious Transfer, which we call Con- 
ditional Oblivious Transfer. In this variant. Bob and Alice have private inputs 
and share a public predicate that is evaluated over the private inputs and is 
computable in polynomial time. The conditional oblivious transfer of (for sim- 
plicity), say, a bit b from Alice to Bob has the following requirements. If the 
predicate holds, then Bob successfully receives the bit Alice wanted to send him 
and if the predicate does not hold, then no matter how Bob plays, he will have 
no information about the bit Alice wanted to send him. Furthermore, no efficient 
strategy can help Alice during the protocol in computing the actual value of the 
predicate. Of course, such a game can be easily implemented as an instance of se- 
cure function evaluation |2hllVI4IU)IUl| . however, we are interested here in more 
efficient implementations of this particular game. To the best of our knowledge, 
such a variant has not been considered previously in the literature. 



Timed-Release Encryption. The setting is as follows. There are three partici- 
pants: the sender, the receiver and the server. First, the sender transmits to the 
receiver an encrypted messages and a release-time. Then, the receiver can en- 
gage in a conversation with a server. Our timed-release encryption scheme uses, 
in a crucial way, a protocol for conditional oblivious transfer. In particular, the 
server and receiver engage in a conditional oblivious transfer such that if the 
release-time is not less than the current time as defined by the server, then the 
receiver gets the message. Otherwise, the receiver gets nothing. Furthermore, 
the server does not learn any information about the release-time or the identity 
of the sender. In particular, the server does not learn whether the release-time 
is less than, equal to, or greater than the current time. Our protocol has mini- 
mal round-complexity: an execution of the scheme consists of a single message 
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from the sender to the receiver and one request-answer interaction between the 
receiver and the time server. Moreover, we present an implementation of our 
scheme, using efficient primitives and cryptosystems as building blocks, that 
only require communication and computation logarithmic in the size of the time 
parameter. Finally, we note that the trust placed on the server can be further 
decreased if more servers are available. 

2 Notations and Definitions 

In this section we present notations and definitions needed for this paper. We 
start with basic notations, then we define conditional oblivious transfer and 
timed-release encryption schemes. For the necessary number-theoretic back- 
ground on quadratic residuosity and Blum integers, we refer the reader to mm. 

2.1 Basic Notations and Model 

An algorithm is a Turing machine. An efficient algorithm is an algorithm running 
in probabilistic polynomial time. An interactive Turing machine is a probabilistic 
algorithm with an additional communication tape. A pair of interactive Turing 
machines is an interactive protocol. The notation x ^ S denotes the probabilistic 
experiment of choosing element x from set S according to distribution D] we 
only write a; <— S' in the case D is the uniform distribution over S. The notation 
y <— A(x), where A is an algorithm, denotes the probabilistic experiment of 
obtaining y when running algorithm A on input x, where the probability space 
is given by the random coins (if any) of algorithm A. Similarly, the notation 
t ^ (A{x), B{y)){z) denotes the probabilistic experiment of running interactive 
protocol (A,B), where x is A’s input, y is B’s input, z is an input common to 
A and B, and t is the transcript of the communication between A and B during 
such execution. By Prob[i?i; . . . ; i?„ : E] we denote the probability of event E, 
after the execution of probabilistic experiments , . . . , . Let a © 6 denote 

the string obtained as the bitwise logical xor of strings a and b. Let aob denote 
the string obtained by concatenating strings a and b. A language is a subset of 
{0,1}*. 

The predicate GE. Given two sequences of k bits G, . . . ,tk, and di, . . . , dk, 
define predicate GE as follows: GE(ti,... ,tk,di,... ,dk) = 1 if and only if 
(t\ o ■ ■ ■ o tk) > (di o • • • o dk), when strings t\ o ■ ■ ■ o tk and d\ o ■ ■ ■ o dk are 
interpreted as integers. 

The public random string model. In the sequel, we define two cryptographic 
protocols: conditional oblivious transfer, and timed-release encryption, in a set- 
ting that is well known as the “public random string” model. In this model, 
the parties share a public and uniformly distributed string. It was introduced 
by Blum, De Santis, Feldman, Micali and Persiano in pini, and was motivated 
by the goal of reducing the ingredients needed for the implementation of zero- 
knowledge proofs. This model has been well studied in Gryptography since then 
as a minimal setting for obtaining non-interactive zero-knowledge proofs and 
several other cryptographic protocols. 
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2.2 Conditional Oblivious Transfer: Definition 

We now give the formal definition of Conditional Oblivious Transfer. 

Definition 1. Let Alice and Bob be two probabilistic Turing machines running 
in time polynomial in some security parameter n. Also, let xa (xb) be Alice’s 
(respectively, Bob’s) private input, let b be the private bit Alice wants to send to 
Bob, and let q(-, •) be a predicate computable in polynomial time. We say that 
(Alice,Bob) is a Conditional Oblivious Transfer protocol for predicate q 
if there exists a constant a such that: 

1. Transfer Validity. If q{xA,XB) = 1 then for each b £ {0, 1}, it holds that 

Prob l^cr <— {0, 1}’* ; tr ^ (Alice(a;A, t>),Bob(xs))(cr) : Bob(cr, XB,tr) = & j = 1. 

2. Security against Bob. If q{xA,XB) = 0 then for any Bob', the random variables Xq 
and Xi are equally distributed, where, for b £ {0, 1}, 

Xb = [a ^ {0, 1}"^ \tr ^ (Alice(a:A, &),Bob'(a;s))(cr) : (cr,tr)] 

3. Security against Alice. For any efficient Alice', there exists an efficient simulator M 
such that for any constant c, and any sufficiently large n, it holds that |po — Pi| < 

where, po and pi are equal to, respectively, 

Prob l^cr ^ {0, 1}" ; tr <— (Alice' (a;A),Bob(a;B))(cr) : Alice'(cr, ®a, tr) = q{xA, xb) j 

Prob 1^ cr ^ {0, 1}" : M{a, xa) = q{xA, xb)'^ . 

Notice that here we are defining the security against a possibly cheating Bob 
even if he is infinitely powerful (requirement 2), similar to 1251 . In the sequel, 
we will also consider security with respect to a honest-but-curious Bob, meaning 
that Bob follows his program, but at the end may arbitrarily try to distinguish 
random variables Xq and Xi. We also note that a definition suitable for the 
public-key setting can be easily obtained by the above one. In particular each 
party would use its private string too and would be given access also to the 
public keys of the other parties; namely, Alice and M would be given Bob’s 
public key, and Bob would be given Alice’s public key. Finally, we note that 
the above definition can be extended in a natural way to the case of a message 
containing more than one bit. 

2.3 Timed-Release Encryption: Definition 

First, we give an informal description. A timed release encryption scheme is a 
protocol between three polynomial time parties: a sender S, a receiver R and 
a server V. Time (a positive integer) is represented as a fc-bit string and is 
entirely managed by V. Each message sent in an “encrypted” form from S to 
R will be associated with a release-time d = {d\,... ,dk), where di G {0,1}, 
for j = 1, . . . , 2^. R can check if the message it got from S is “well- formed” . If 
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the message is “well-formed” then R is guaranteed to be able to decrypt some 
message after the release-time d. R is allowed to interact with V, while S never 
needs to interact with V. Also, for any efficient strategy of R, R can not decrypt 
before the release-time. Finally, V just acts as a time server; i.e., the conversation 

V sees reveals no information about the actual message, its release-time or which 
sender/receiver pair is involved in the current conversation. Time is managed by 

V by answering timing requests from R; namely, first R sends a message to V, 
then V answers. V’s answer contains some information allowing R to decrypt if 
and only if the current time is greater than the release-time. 

By {pr, Sr) (resp., (p„, s„)) we will denote a pair of R’s (resp., V’s) public/secret 
keys; by ct a sufficiently long public random string; by m € {0, 1}* a message, by 
t and d the current time according to V’s clock and the release-time of message 
TO, both being represented as a k-hit string. We now present our formal definition 
of timed release encryption scheme. 



Definition 2. Let S,R,V be three probabilistic Turing machines running in time 
polynomial in some security parameter n. Let T denote a special symbol that 
may be output by any of S,R,V, on any input, meaning that such input is not 
of the specified form. We say that (S,R,V) is a timed-release encryption 
SCHEME if there exists a constant a such that: 

0. Correctness. For any m £ {0, 1}* and any d £ {0, 1}*’, 

Prob [ cr ^ {0, 1}" ; (p„, s„) ^ V(cr); (pr, Sr) ^ R(cr); 

(enc,d) ^ S(pr,Pv,m,d)-,req ^ R{pr, Sr,Pv,enc, d)\ 
ans ^ Y(pv,Sr,t,req,a) : 

[t < d) V (R(pr, Sr, ans) = m)] = 1. 

1. Security against S. For any probabilistic polynomial time S', any constant c, and 
any sufficiently large n, 

Prob [ cr ^ {0, 1}" ; (p„, s„) ^ V(cr); (pr, Sr) ^ R(cr); 

{enc,d) ^ S'{pr,Pv)-,req ^ R{pr,Sr,Pv,enc,d)\ 
ans ^ V{pv,Sv,t, req, a) : 

(t < d) V {req =1.) V (R(pr, Sr, ans) y^T) ] > 1 — n”'’. 

2. Security against R. For any probabilistic polynomial time R'=(R'i,R 2 ,R 3 ,R 4 ), any 
constant c, and any sufficiently large n, 

Prob [ (7 ^ {0, 1}" ; (p„, s„) ^ V(cr); (pr, Sr) ^ R'l (cr,pr); 

(too, mi, an®) ^ R 2 (cr,pr,pr, Sr); i ^ {0, 1}; {enc,d) ^ S(pr,Pr, toi, d); 
req ^ ~R!ti{Pr,Sr,Pv,enc,d)-,ans ^ Y{pv, Sv,t,req,a) : 

{t < d) A R 4 (pr, Sr, aux, ans) = i] < 1/2 -|- 
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3. Security against V. For any probabilistic polynomial time V'=(V'i,V 2 ,V 3 ), any 
constant c, and any sufficiently large n, 

Prob [a^ {0, l}"“;(pr,Sj.) ^ R((j); (p„, s„) ^V{(a,pr); 

((mo, do), (mi,di),aua;) ^ V 2 (cr,pr);i ^ {0, 1}; 

(enc, di) ^ S{pr,Pv,mi, di)\ req ^ R(pr, Sr,Pv, enc, di) : 

'^siPv, Sv,t, req, aux,a) = i] < 1/2 + n~". 

Notes on Definition\B '■ 

— The validity of the encryption scheme is defined even with respect to ma- 
licious senders (requirement 1): even if S is malicious, and tries to send a 
message for which he claims the release-time to be d, then R can always 
decrypt after time d. 

— The security against malicious R (requirement 2), and V (requirement 3) 
have been defined in the sense of semantic security m against chosen mes- 
sage attack. Extensions to chosen ciphertext attack can be similarly formal- 
ized. 

— A scheme satisfying the above definition also protects the sender’s anonymity: 
namely, the sender does not need to use his public or private keys when talk- 
ing to the receiver, and never talks to the server. 



3 A Conditional Oblivious Transfer Protocol for GE 

In this section we show a conditional oblivious transfer protocol for predicate 
GE. Our result is the following 

Theorem 3. Let GE be the predicate defined in Section El The protocol (Al- 
ice, Bob) presented in Section El is a conditional oblivious transfer protocol for 
GE, for which requirement 1 of Definition Q holds with respect to any honest- 
but-curious and infinitely powerful Bob and requirement 3 of Definition [D holds 
with respect to any probabilistic polynomial time Alice under the hardness of 
deciding quadratic residuosity modulo Blum integers. 

The rest of this section is devoted to the proof of Theorem El 

3.1 Our Conditional Oblivious Transfer Protocol 

We first give an informal description of the ideas in our protocol and then give 
the formal description. 

An informal description. We will use as a subprotocol (A,B) a simple vari- 
ation of the oblivious transfer protocol given in pan], based on quadratic 
residuosity modulo Blum integers. For lack of space, we omit the description 
of such protocol but give the properties necessary for our construction here. By 
NQR-GOT-Send(5, {x, y)) we denote the algorithm A on input a bit b and {x, y), 
where x is a Blum integer, y G . By NQR-GOT-Receive(mes, (x,p, 9 , ?/)) 
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we denote the algorithm B using the factors p,q oi x to decode a message mes 
sent by A using (x,y), where the result of such decoding will be either 6 or _L 
(indicating an invalid message). We recall that in protocol (A,B), algorithm B 
will receive bit b sent by A if y is a quadratic non residue and the actual value 
of b will remain information-theoretically hidden with respect to a honest-but- 
curious B otherwise. Moreover, no efficient strategy allows A to guess whether 
B actually received the right value for b or not. 

Informally, our COT protocol for the predicate GE works as follows. At the 
beginning of the protocol, Alice has a k-h\t string t = {t\, . . . ,tk) as her secret 
key and Bob has a /c-bit string d= (c?i, . . . ,dk) as his secret key. Moreover, let 
b be the bit that Alice wants to send to Bob. First of all, Bob computes a Blum 
integer x, and a fc-tuple (Z?i, . . . , Dk) as his public key, where Di = modx, 
where the diS are part of Bob’s secret key. Similarly, Alice computes her public 
key as integers . . . ,Tk € where Ti is a quadratic non residue if and 

only if ti = 1. Now, one would like to use properly computed products of the 
Tj’s and DiS to play the role of integer y in the above mentioned protocol 
(A,B), where the products are computed according to the boolean expression 
that represents predicate GE over bit strings. A protocol implementing this 
would require O(k^) modular multiplications. We show below a protocol which 
only requires 8k modular multiplications. 

First of all Alice splits bit b into bit a and bit a 0 6, for random a, and sends a 
using {x, Ti) and a05 using {x, D^Ti moda;) as inputs for the subprotocol (A,B) 
(notice that this allows Bob to receive b if and only if ti > di). Then, Alice will 
send a random bit c using (x, —TiDi mod x) as input (this allows Bob to receive 
c if and only if ti = d\). The gain in having the latter step is that it allows Alice 
to run the same scheme recursively on the tuple (T 2 , ... , , D 2 , ■ ■ ■ , Dk), using 

as input 6 0 c. Notice that if t < d Bob will be able to compute only bits with 
distribution uniform and independent from 6. In this protocol Alice only performs 
8 modular multiplications for each i (this is because A’s algorithm only requires 
2 modular multiplications) . We now proceed with the formal description of our 
scheme (Alice,Bob). 



The algorithm Alice: On input . . ,tk € {0, 1}, Alice does the following: 

1. Receive: x, Di , . . . , Dk from Bob and set 61 = b. 

2. For i = 1, . . . ,k, 

uniformly choose at, a € {0, 1}, ri € Z% and compute Ti = r^(— 1)** modx; 

if i = fc then set a = bq 

compute mesii — NQR-COT-Send(oi, {x,Ti))\ 

compute mesi 2 ~ NQR-COT-Send(ai © bi, (x, DiT mod®)); 

compute mesa = NQR-COT-Send(ci, (®, —DiT mod®)); 

set bi+i = 6 i © cq 

set pa = {Ti,. . .,Tk) andmes = ((mesii, mesi 2 , mesa),. ■ ■, (meski,mesk 2 ,mesk 2 .))', 
send: (pA,mes) to Bob. 
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The algorithm Bob: On input a sufficiently long string a and di, ... ,dk € {0, 1}, 
Bob does the following 

1. Uniformly choose two n-bit primes p, q such that p = q = 3 mod 4 and set x = pq; 
for i = 1, . . . ,k, uniformly choose rt € Z* and compute Di = rf (— 1)'** modx; 

let pb = (x,Di,.. . ,Dk) and send: pb to Alice. 

2. Receive: ((Ti,... ,Tk), {mesii,mesi2,mesi3, ■ ■ ■ ,meski,mesk2,mesk3)) by Al- 
ice. 

3. For i = 1, . . . ,k, 

compute tti = NQR-COT-Receive(meSii, (x,p,q,Ti))-, 
compute Ci = NQR-COT-Receive(meSi 2 , (x,p, q, DiTi modx)); 
if fli t^T and a then 

output: Oi © Ci © Ci-i © • • • © Cl and halt; 
else compute d = NQR-COT-Receive(meSi 3 , {x,p, q, —DiTi mod®)); 
if i = fc and a then output: a and halt; 
output: T. 



3.2 Conditional Oblivious Transfer: The Proof 

We need to prove three properties: transfer validity, security against Alice and 
security against Bob. 

Transfer validity. Assume predicate q is true; i.e., t\ o ■ ■ ■ o tk > di o ■ ■ ■ o dk- 
Notice that if t\ > di then T\ and DiTimod® are quadratic non residue and 
by the validity property of NQR-COT-Receive, Bob can compute oi,ei. and 
therefore 6 as oi © ei. Now, assume that tj = dj, for j = 1,... ,i — 1 and 
ti > di, for some i G {1, ... ,t}. Then, since tj = dj, the integer —TjDj mod® 
is a quadratic non residue modulo x and Bob can compute Cj, for each j = 
1,... — 1, by the validity property of NQR-COT-Receive; moreover, since 

ti > di. Bob can compute both Ui and Cj from Alice’s message. Since Cj = 
© © 6 © Cl © • • • © Cj_i, Bob can compute 6 as Oj © e* © ci © • • • © c*_i. Finally, 
the case of tj = dj, for j = 1, . . . , fc, is similarly shown, by just observing that 
Ck is set equal to 6 © ci © • • • © Ck-i- 

Security against Bob. To prove security against any honest-but-curious algo- 
rithm Bob', first, assume that ® is a Blum integer, Di, . . . , Dk € and predi- 
cate q is false; i.e., t\o- ■ -otk < dio- ■ -odk- Consequently, for some i G {I, . . . ,k} 
it must be that tj = dj, for j = l,...,i — 1, and ti < di. Note that according to 
Alice’s algorithm, b can be written as ai © ci or as ci © • • • © ci-i © a/ © e/, for 
some 1. Then, since TjDj, for j = 1, . . . , i — 1, is a quadratic residue modulo x, 
for each j, it holds that at most Cj and aj can be computed from mesji,mesj 3 , 
but Cj is information-theoretically hidden given mesj 2 ', from the properties of 
NQR-COT-Send. Notice that both aj and Cj are independently and uniformly 
distributed bits. Then, since ti < di. Bob' has no information about either ai or 
Ci] this guarantees that even for any i' > i such that tp > dp. Bob' will obtain 
ap and ap © bp, but not b since bp = 6© ci © • • • © Cj'_i. Moreover, even for such 
values i' , the values received by Bob' are again independently and uniformly 
distributed bits. Hence, for any b. Bob' only sees uniform and independent bits. 
Therefore, the two variables Xq, Xi are equally distributed. 
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Security against Alice. Notice that Alice’s role in the protocol consists of a 
single message to Bob. Therefore, if after the protocol, Alice has a non-negligible 
advantage over any efficient simulator M in deciding the predicate q, then she 
has the same advantage when she is given only Bob’s public message pb before 
running the protocol. Therefore, there exists an efficient M that has the same 
advantage in deciding predicate q as Alice. Finally, using a standard hybrid 
argument, M has a non-negligible advantage in deciding the quadratic residuosity 
modulo the Blum integer x of one of the Di’s, and therefore any y G 

This concludes the proof of Theorem El 

4 A Timed-Release Encryption Scheme 

In this section, we present our construction of a timed-release encryption scheme 
which can be viewed as a transformation from any ordinary encryption scheme 
into a timed-release one. It uses as additional tools, a non-malleable encryption 
scheme and a conditional oblivious transfer protocol for the predicate GE. Our 
scheme can be based on several different intractability assumptions, according 
to what goal one is interested in (i.e., generality of the assumptions, efficiency in 
terms of communication, and efficiency in terms of computation). We discuss all 
these variants after our formal description and proof. Our result is the following 

Theorem 4. The scheme (S,R,V) defined in Section R~TI is a timed-release en- 
cryption scheme. 



4.1 Description of Our Scheme 

We start with an informal description of the ideas needed for our scheme. A first 

idea for the construction of our scheme would be to use the conditional oblivious 
transfer designed in Section 0 as follows. Assume the receiver has obtained the 
release-time d = {di, . . . ,dk) of the message from the sender. Since the server 
has the current time t = (ti, . . . ,tfe), the server and the receiver can execute 
the conditional oblivious transfer protocol for predicate GE, where the server 
plays as Alice on input t and the receiver plays as Bob on input d. Addition- 
ally, the receiver, by running this protocol should get the information required 
to decrypt and compute the message. The properties of conditional oblivious 
transfer guarantee that the receiver will be able to receive some private infor- 
mation if and only if the time of the receiver’s request was not earlier than the 
release-time. First, we have to decide what secret information should be sent 
from the server to the receiver in the event that the release-time is past. This 
can be as follows: the sender will first encrypt the message using the receiver’s 
public key, and then encrypt this encryption using the server’s public key. Let zq 
be the resulting message. Then the private information sent by the server to the 
receiver could be the decryption of zq under the server’s public key. Note this is 
the encryption of the message under the receiver’s key and therefore this would 
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give the receiver a way to compute the message. Moreover, the sender does not 
get any information about the message since he only sees an encryption of it. 

A second issue is about the release-time. So far, we have assumed that the 
receiver encrypts the same release-time that he obtains from the sender, and the 
server uses those encryptions for the conditional oblivious transfer. However, a 
malicious receiver could simply replace the release-time with an earlier one and 
obtain the message earlier. Now, a first approach to prevent this is the following: 
the server will compute the bit-by-bit encryption of the release-time needed for 
the conditional oblivious transfer and send it to the receiver, together with a 
further encryption of it under the server’s public key. Let zi be the resulting 
message. The idea would be that the receiver will be required to send zi to the 
server so that the server can verify that he is using the right encryptions. Still, 
the receiver can compute a faked encryption z[ and repeat the same attack as 
before. However, now we can have the sender encrypt under the server’s key the 
concatenation of the encryption of the release-time (under the receiver’s key) 
and the encryption of the message (under the receiver’s key). In other words, 
zq and zi are actually merged into a single encryption z. Now, the only attack 
the receiver can try is to modify z into something which may be decrypted 
as encryptions of the same message and a different release-time. However, this 
can be prevented by requiring that the encryption scheme of the server is non- 
malleable. the preceding discussion gives us our timed-release encryption scheme 
described formally below. 

A formal description of our scheme. Let (nm-G, nm-E, nm-D) be a non- 
malleable encryption scheme, and denote by (nm-pk,nm-sk) the pair of public 
and secret keys output by nm-G. Also, let (Alice,Bob) denote the conditional 
oblivious transfer protocol for predicate GE given in Section 0 We now describe 
the three algorithms S, R,V] in each algorithm, when necessary, we differentiate 
between the key-generation phase and the encryption/decryption phase. Also, 
we assume wlog that the message m to be encrypted is a single bit. 

The algorithm S: 

Key-Generation Phase: no instruction required. 

Encryption Phase: 

1. Let (m,d) be the pair message/release-time input to S, where m £ {0, 1}; 

2. let (x) be R’s public key; 

3. uniformly choose r £ Z* and compute Cm = r^(— I)'" mod a;; 

4. let d = di, . . . , dfc, where di £ {0, 1}, for i = 1, . . . , fc; 

5. for i = 1, . . . ,k, uniformly choose rai £ Z* and compute Di = r|i(— 1)'^* modi; 

6. let Cd = (T>i,... ,Dk)-, 

7. compute cc = nm-'E{nm-pk, Cd ° Cm) and output: (cc, Cd, d). 

The algorithm R: 

Key-Generation Phase: 

1. Uniformly choose two n/2-bit primes p, q such that p = q = 3 mod 4 and set x = pq\ 

2. let L be the language {i 1 1 is a Blum integer }; 
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3. using a,p,q, compute a non-interactive zero-knowledge proof 77 for L; 

4. output: (x,n). 

Decryption Phase: 

1. Let (cc, Cd, d) be the triple received by S; 

2. let d = di, . . . , dfc, where di £ {0, 1}, for i = 1, . . . ,k; 

3. for i = 1, . . . ,k, 

using p, q, set d' = 1 if {x, Di) £ NQR or d' = 0 otherwise; 
if d'i 7 ^ di then output: _L and halt. 

4. run step 1 of algorithm Bob, by sending {x, Di, . . . , D^) to V; 

5. send cc, 77 to V; 

6. run step 2 of algorithm Bob, by receiving (Ti, . . . , T^), mes from V; 

7. run step 3 of algorithm Bob, by decoding mes as Cm', 

8. if Cm 7 ^-L then compute m = Y>{sk,pk,Cm) and output: m else output: _L. 

The algorithm V: 

Key-Generation Phase: 

1. Run algorithm nm-G to generate a pair (nm-pk,nm-sk)- 

2. output: nm-pk. 

Timing service phase: 

1. run step 1 of algorithm Alice, by receiving (x,D\, . ■ ■ i from R; 

2. receive cc, 77 from R; 

3. verify that the proof 77 is accepting; 

4. compute {c'd,c'm) = nm-D(nm-sk, nm-pk, cc); 

5. if Cd 7 ^ c'd or the above verification is not satisfied then output T to R and halt; 

6. let t = (ti, . . . , tk) be the current time, where ti £ {0, 1}, for i = 1, . . . ,k; 

7. for i = 1, . . . ,k, uniformly choose r; £ Z* and compute Ti = r?(— 1)** mods;; 

8. run step 2 of algorithm Alice, by computing mes; 

9. output: (Ti,... ,Tm),mes. 

Round complexity: In the above description, we use the specific conditional 
oblivious transfer protocol of Section|3 based on quadratic residuosity, since this 
protocol shows that the entire timed-release can be implemented with minimum 
interaction. Notice that the sender does not interact at all with the server. More- 
over, the sender only sends one message to the receiver in order to encrypt a 
message, after the receiver has published his public key. Finally the interaction 
between receiver and server is one round (after both parties have published their 
own public keys) . 

Efficiency: In the above description, we can use a generic non-malleable en- 
cryption scheme. A practical implementation would use, for instance, the scheme 
by Cramer and Shoup jZj, that is based on the hardness of the decision Difhe- 
Hellman problem. Recall that the scheme in requires about 5 exponentiations 
from its parties. The rest of the communication between sender and receiver is 
based on computing an encryption of the message m and release-time d, which 
requires at most k modular products (which is less expensive than one exponen- 
tiation, since k is the number of bits to encode time, and therefore a very small 
constant). Then, the interaction between server and receiver requires only 8nfc 
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modular products (which is about 8k n-bit exponentiations). We observe that 
the communication complexity is 12nk -I- nlogt and the storage complexity is 
6n-|-nlogt, where t is the soundness parameter required for the non-interactive 
zero-knowledge proof. 

Complexity Assumptions: We remark that by using the non-malleable en- 
cryption scheme in m, and implementing the conditional oblivious transfer 
protocol using well-known results on private two-party computation mnm, 
our scheme can be implemented using any one-way trapdoor permutation. 

5 Timed-Release Encryption: The Proof 

We would like to prove Theorem 0 First of all observe that S,R,V run in proba- 
bilistic polynomial time; in particular the non-interactive zero- knowledge proof 
n can be efficiently computed and verified using the protocol in m Now we 
need to prove four properties: correctness, security against S, security against 
R and security against V. The correctness requirement directly follows from the 
properties of the conditional oblivious transfer and the encryption schemes used 
as subprotocols. We now concentrate on the remaining three properties. 
Security against S. We need to show that for any probabilistic polynomial time 
S', if R does not output T and t > d then R can compute the message m sent by 
S'. Notice that if R does not output T then the release-time has a right format; 
then, since t > d, hy the transfer validity property of the conditional transfer 
protocol used, R will always receive Cm and then compute m with probability 1. 
Security against R. Assume that S and V are honest. Consider the following 
experiment for any probabilistic polynomial time algorithm R'=(R'j^,R2,R3, R4). 
Let ((x, n), (p, q)) be the pair computed by R^ on input a,py and let (toq, toi) be 
the two messages returned by R '2 on input a, x,p, q. Let b a uniformly chosen bit, 
and let ((cc,Cd), d) be the output of S on input message mb, the public key pk by 
R’ and the public key nm-pk of V. Now, let req = (x, 77, cc', c'^) be the request 
made by R3 to V, and let ans be V’s reply at some time t < d. We now want to 
show that for any t such that t < d, the probability p that II,p,q, ans) = b 

is at most 1/2-1- n“", for any constant c and all sufficiently large n. We divide 
the proof in three cases. 

Case 1: cc' = cc and c'j^ = Cd- Assume that there exists a t such that t < d and 
the above probability p is at least 1/2-1- n~", for some constant c and infinitely 
many n. Now, we explain how to turn R' into an algorithm B' that can break 
the scheme (nm-G, nm-E, nm-D). The idea is of course to simulate an entire 
execution of the protocol, and then use R' in order to break the mentioned 
scheme. Specifically, B' uses R'^ in order to generate the pair of public/private 
keys. Now, given the two messages mg, mi output by R2 as candidates to be 
encrypted using the timed release encryption scheme, B' will compute the two 
messages nm-mg, nm-mi that are the candidates to be encrypted under the non- 
malleable scheme. These two messages are computed by encrypting the messages 
mg, mi, respectively, using the public key output by R'l. Now, a bit b is uniformly 
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chosen in the attack experiment associated to the non-malleable scheme, and 
nm-rrih is encrypted using such encryption scheme (this is the encryption cc). 
This automatically chooses message mh in the experiment associated with the 
timed release scheme. Now, B' uses Rg to send a request {x,II,cc' ,c'^) to V; 
recall that we are assuming that cc = cc' and Cd = c(;, therefore, B' will now 
simulate the server using the assumed time t. Notice that he does not need to 
know the string Cm that is part of the decryption of cc' since when t < d, hy 
Property 2 of the conditional oblivious transfer (Alice,Bob), the receiver is only 
obtaining transfers of uniformly distributed bits, which are therefore easy to 
simulate. Finally, B' runs algorithm R 4 on the (simulated) answer obtained by 
V. Now, notice that since the simulation of V is perfect, the probability that B' 
breaks the non-malleable encryption scheme is the same as p, which contradicts 
the security of scheme (nm-G, nm-E, nm-D). 

Case cc' = cc and c'^ ^ Cd- This case cannot happen, since V decrypts cc' as 
{cd,Cm) and can see that c'^ ^ Cd^ and therefore outputs T and halts. 

Case cc' ^ cc. This case contradicts the non-malleability of the scheme used by 
V. This is because given history Cd about plaintext pi = (cd, Cm), and ciphertext 
cc, R' is able to compute a ciphertext cc' of some related plaintext pi' = {cd, c'.^), 
i.e., such that c'^^ is a valid encryption of m under the key of R'. The fact that 
c(,j is a valid encryption of m under such key is guaranteed by our original con- 
tradiction assumption that R' successfully breaks the timed release encryption 
scheme. 

Security against V. We see that the server V receives a tuple {x, U,cc,Cd), 
and he can decrypt cc as (cm,c'^) and check that c'^ = Cd- Namely, he obtains 
encryptions of the message m and the release-time d under the receiver’s key. 
The semantic security of the encryption scheme used guarantees that the server 
does not obtain any additional information about m, d. Moreover, notice that the 
tuple {x, n, cc, Cd) is independent from the sender’s identity and the receiver’s 
identity. Therefore, V does not obtain any information about the sender’s or the 
receiver’s identity either. 

This concludes the proof of Theorem 0 
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Abstract. This paper proposes a simple threshold Public-Key Cryp- 
tosystem (PKC) which is secure against adaptive chosen ciphertext at- 
tack, under the Decisional Diffie-Hellman (DDH) intractability assump- 
tion. 

Previously, it was shown how to design non-interactive threshold PKC 
secure under chosen ciphertext attack, in the random-oracle model and 
under the DDH intractability assumption |2S|- The random-oracle was 
used both in the proof of security and to eliminate interaction. General 
completeness results for multi-party computations jtil I :-ij enable in prin- 
ciple converting any single server PKC secure against CCA (e.g., jltlU Yj i 
into a threshold one, but the conversions are inefficient and require much 
interaction among the servers for each ciphertext decrypted. 

The recent work by Cramer and Shoup on single server PKC secure 
against adaptive CCA is the starting point for the new proposal. 



1 Introduction 

A threshold public-key cryptosystem (PKC) m extends the idea of a PKC 
as follows: instead of a single party holding the private decryption key, there 
are n decryption servers, each of which hold a piece of the private decryption 
key. When a user receives a ciphertext c to be decrypted, she sends c to each 
decryption server, receives a piece of information from each, and recovers the 
cleartext from the collected pieces. 

Semantic security of encryption schemes m can be easily extended to the 
threshold PKC case. A threshold PKC is called t-secure if a coalition of t curious 
but honest servers cannot distinguish between ciphertexts of different messages, 
yet sufficiently many servers can jointly reconstruct the cleartext. A threshold 
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PKC is called t-robust if it meets these requirements even when up to t servers 
are maliciously faulty. 

Secure and robust threshold PKC’s can be designed, under general assump- 
tions such as the existence of trapdoor permutations and using multi-party com- 
putation completeness theorems ISEH], to convert any centralized semantically 
secure PKC into a threshold one. More efficient threshold PKC’s have been de- 
signed based on the RSA and DH intractability assumptions fZ4t I M.'-ihj . All of 
these proposals require interaction among the servers and the user, in order to 
achieve robustness for a linear fraction of faults. The general conversions require 
interaction to achieve both security and robustness. In the work of m the pres- 
ence of a trusted dealer, which distributes verification data for each pair of server 
and user in a pre-processing stage, is proposed as a way to eliminate interaction 
and yet achieve robustness for linear number of faults (they actually address 
RSA signatures but the work can be easily reformulated for RSA decryption). 

Stronger notions of security of centralized encryption schemes, namely secu- 
rity against ‘Lunch-time Attacks’ and ‘chosen ciphertext attacks’ (CCA) were 
defined, constructed, and studied in j;i;ii;iSll9llYI4j . These notions capture ad- 
ditional security concerns when using encryption within a general security ap- 
plication. CCA security of threshold PKC has been recently defined in [2S|- In 
principal the Dolev-Dwork-Naor PKC secure against CCA (using non-interactive 
zero knowledge) can be converted, using multi-party completeness theorems, 
into a threshold PKC secure against CCA if trapdoor functions exist, but the 
resulting scheme is inefficient and requires much interaction among the servers. 
Efficient CCA-secure threshold PKC schemes were proposed in in the ran- 
dom oracle model under the DDH intractability assumption. The use of random 
oracles was essential for proving security against CCA. Once the random oracle 
was present it was also used to eliminate interaction to achieve robustness of 
the scheme against a linear number of faulty servers. Our goal is to design an 
efficient threshold PKC secure against CCA not in the random oracle model. 

A threshold decryption service has several applications. Let us sketch a few. 
One application (suggested in |2t)j l is for distributing the escrow service in a 
key recovery mechanism and allowing it to decrypt only specific messages rather 
than entirely recover the key. Another attractive application is for having pub- 
lic encryption keys associated with an organization. Here messages directed to 
the organization are encrypted with the organization’s public key; the organiza- 
tion’s decryption servers now direct the decrypted plaintext to an appropriate 
organization member. Another application is for a decryption service that ‘sits 
on the net’ and offers decryption services for customers who do not have their 
own certified public keys. This service can also be part of an ‘electronic vault’ 
application (e.g., I2fil I . Here it may be important that the decryption be done so 
that no one except some specified party, not even the decryption servers them- 
selves, will learn anything about the plaintext. (Our security requirements from 
a threshold PKC take these scenarios into consideration, in an explicit way.) 
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1.1 New Results 

In this paper we present a new threshold PKC, which is provably secure against 
CCA based on the DDH intractability assumption. Our scheme makes no use of 
random oracles. The scheme achieves security against a coalition of t honest but 
curious servers upto t < §. 

The starting point for our scheme is the recent attractive result of Cramer 
and Shoup [li 7lj which proposed (using techniques reminiscent of those of [25j ) 
an efficient centralized PKC secure against adaptive CCA, under the DDH in- 
tractability assumption. 

The idea of the Cramer-Shoup scheme is that the ciphertext carries with it 
a tag, which the decryption algorithm checks for validity before computing the 
cleartext. If the tag is valid then the cleartext is output, else the decrypting 
algorithm outputs ‘invalid’. Simplistically stated, unless the legal encryption 
algorithm was used to produce the ciphertext, it is computationally hard to 
come up with anything but an invalid tag, and thus it is safe for the server to 
decrypt ciphertexts carrying a valid tag. 

Differently from previous PKC’s proved secure against lunch-time attacks and 
CCA CTTOl . this scheme is not publicly verifiable. That is, deciding whether 
the tag is valid or not requires the knowledge of the private key. In particular, 
this knowledge enables computing from the ciphertext a tag' which should equal 
tag when the ciphertext is valid. 

We now turn our attention to trying to make Cramer-Shoup into a threshold 
PKC system. First note that if one is willing to increase the size of the ciphertext 
(and of the public encryption key) proportionally to the number of servers then 
achieving threshold CCA security is very simple: Let each server have a separate 
public key of the Cramer-Shoup scheme, and modify the encryption algorithm 
to that it first generates a Shamir secret sharing of the message m, and 

then each is separately encrypted using the public key of the ith server. Each 
server decrypts its share as usual and hands it to the decrypting user. 

However, we are interested in schemes where the ciphertext and the encryp- 
tion key are small, and in particular independent of the number of servers. A 
straightforward approach would thus be to distribute the private key among all 
the decryption servers. When a ciphertext arrives, the servers distributively com- 
pute whether the tag is valid or not and if it is valid each server outputs a piece 
of the cleartext. The user then uses the pieces to recover the cleartext. The basic 
problem of this approach is: how to distributively implement the check that the 
tags are valid? General completeness results for multi-party computation indi- 
cate that this is of course possible in principle, but requires interaction between 
servers for every ciphertext received. More efficient, DDH based protocols seem 
to require interaction as well. 



The Main Idea: Avoiding the Validity Check The new idea is to first 
modify the PKC scheme so as to avoid an explicit validity check. Instead, the 
decrypting algorithm (still in the standard PKC case) will output the cleartext 
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if the ciphertext is valid, and otherwise a value indistinguishable from random^. 
Thus, when the ciphertext is invalid (as defined in ini) the user will get es- 
sentially ‘random garbage’ computationally unrelated to the ciphertext. Such 
a modified scheme (which we label M-CS) enjoys a very similar security proof 
to the original scheme, but it is now possible to turn it into a threshold PKC 
scheme avoiding the distributed validity check. 

In our threshold PKC scheme, each of the n servers will output a piece of 
information with the following property V'. 

• if the ciphertext was valid, then the cleartext can be recovered from the pieces 
sent by the decryption servers; but 

• if the ciphertext was invalid, then the collection of all the pieces is indistin- 
guishable from random garbage. 

How is this achieved? Let tag, tag’ he as discussed above. We come up with 
a function / such that (1) f {tag, tag’) = 1 if tag=tag’ ; (2) f {tag, tag’) = rval 
if tag^tag’ (where rval is indistinguishable from random); and (3) / is easy to 
distribute in the sense that it is easy to compute a share of f {tag, tag’) from a 
share of the secret key. Condition (3) is necessary for threshold PKC whereas any 
function with input/output behavior as specified in conditions (l)-( 2) suffices 
for M-CS . Using such /, each server will compute from the ciphertext and its 
share of the private kw, a share of f {tag, tag') and send to the user a share of 
cleartext ■ f{tag,tag)o The user will combine the shares to obtain cleartext ■ 
f {tag, tag'). This choice of / guarantees property V. 

We propose to use f {tag, tag') = {tag /tag')” where s is a random exponent. 
In order to implement /, at system startup the servers will agree on a sequence of 
random numbers s shared between them using some secret sharing method such 
as polynomial secret sharing, and will use these numbers for / as ciphertexts 
arrive. 

Where Does the Randomness in Decoding Come from? The idea de- 
scribed above requires that for each ciphertext, the servers will use a new random 
number that is shared among them using a secret sharing method such as poly- 
nomial secret sharing. How are these numbers chosen and shared? We suggest 
the following method. 

A straightforward implementation would be that before the start of the sys- 
tem the servers agree using standard methods ( e.g |3yitil20l3bt22| l on m random 
numbers r\, ...Vm each of which is shared using a polynomial secret sharing among 
the n players. These are used for decrypting m ciphertexts, after which time a 
new set of random numbers will be chosen. This means, that each server must 
store in local memory m shares of m random numbers in addition to his secret 

^ This value does not have to be random. It would actually be sufficient to output, 
in case of invalid tag, a value which is unrelated to the ciphertext. 

^ This is a slight over simplification for purpose of exposition in the introduction. In the 
actual scheme the server sends a share of mask ■ /{tag, tag') where mask ■ cleartext is 
part of the ciphertext. Receiving mask will enables the user to compute the cleartext. 
See exact details within. 
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key. (Alternatively, the servers may generate these random numbers every time 
a ciphertext appears. However, this method requires interaction among servers 
at the time of decryption, and is thus not recommended.) 

This implementation may encounter synchronization problems when the ser- 
vers receive the ciphertexts in different orders. We suggest solutions within. 

We do not know how to keep the memory requirements of the servers in- 
dependent of the number of decryptions to be performed, without interaction 
among the servers. This is left as an interesting open problem. (See more details 
in Section rm i 

Robustness Suppose now that some of the decryption servers are maliciously 
faulty. To achieve t-robustness we propose several variants of our basic scheme, 
all of which use |lTT)En| style polynomial secret sharing as a building block. Our 
solutions use standard tools which have been used in the literature to address 
robustness of threshold signature and encryption schemes such as the prover 
proving in zero-knowledge to the user that the share provided is proper; we come 
up with efficient instantiations of such tools tailored to the tasks at hand. We 
stress that in all methods the public encryption key and the encryption algorithm 
are identical to those of Cramer-Shoup, and in particular are independent of the 
number of servers. We sketch these methods, all of which achieve t-robustness 
for up to t < ^ malicious server faults. 

• A first method is fully non-interactive, and is efficient when t = 0{^/n). Prac- 
tically speaking, when, say, n = 7 and t = 2 this method is quite efficient. 

• A second method requires a simple four-round interactive proof between the 
user and the decryption servers (no interaction between the decryption servers 
themselves is necessary). Here each server proves to the user that the piece 
of decryption information provided is correct. The interactive protocol can be 
avoided when sufficient number of decryption servers do not act in a faulty 
fashion. The user first runs a local detection-algorithm to see if she can use the 
pieces of information she received from the servers to decrypt the ciphertext. 
Only when the user detects that too many pieces were faulty, should she carry 
out the interactive-proofs to determine which pieces were faulty and should be 
discarded. Here the decrypting user needs some verification information for each 
of the servers. Thus the size of the public file grows by a factor of n. Yet, it 
is stressed that the encryption algorithm remains identical to that of Cramer- 
Shoup, and the public key needed for encryption remains small. 

• A third method uses the technique of check-vectors introduced by |SZj for 
VSS implementation and used by m to achieve robustness of threshold RSA 
signatures. The idea of [2D was that at the time of key generation, a trusted 
dealer generates additional verification data for every pair of user-server, and 
gives part of this data to the user and part to the server. At the time of signature 
verification, the user uses her verification data to verify non-interactively that 
each piece of RSA signature she received from each server is non-faulty. A slight 
modification of the idea of m can be applied to our scheme as well to make 
it non-interactive and t-robust for t < ^. It will however require each potential 
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decrypting user to have some secret information, and increase the size of each 
server’s key proportionally to the number of potential decrypting users. Thus, 
this variant is adequate when the number of decrypting users is small, or a 
‘decryption gateway’ is available. (For lack of space, this method is deleted from 
the proceedings version. It is described in cao 

Remark: The question of whether it is possible to achieve robustness efficiently 
against a linear number of faults without interaction (either among the servers or 
between the servers and the user) or a trusted dealer is an interesting open prob- 
lem for threshold PKC regardless of which security is desirable, be it semantic 
security or CCA. 

1.2 Additional Contributions of This Paper 

A New Definition of Security for Threshold PKC. Another contribution of our 
work is proposing an alternative definition of security for threshold PKCs. than 
the definition of ini- (The definition of m is stated in the random-oracle model; 
yet it can be readily transformed to protocols that do not use the random oracle.) 
An attractive feature of the new definition (which follows a standard methodol- 
ogy for defining security of cryptographic protocols mmm) is that it is geared 
towards defining the security of the threshold PKS as a component within larger 
systems. In particular, on top of guaranteeing CCA security it addresses issues 
like non-malleability plaintext awareness m and security against dynamic 
adversaries f.'II 1 Oj . 

Remote Key Encryption. One of the by-products of our method is yet another 
variant of our PKC (for the single or multiple server case) such that the user 
can send the ciphertext to a decryption server(or several servers) on line and re- 
ceive information which allows the user to recover the cleartext. Yet, neither the 
servers nor anyone else listening on line can get any information about the clear- 
text. This functionality has been introduced and (very different) constructions 
were given in [7|. This variant is secure against lunch-time attacks only. 

Proactiveness. Our techniques can be ‘proactivized’ (i.e., modified to withstand 
mobile faults, as suggested in ismi) in standard ways m- See more discussion 

in [T^. 

2 Security of Threshold Cryptosystems 

We present a measure of security of threshold PKCs. Our formalization is geared 
towards capturing the security requirements that emerge when using the system 
as a “service” in a complex and unpredictable environment. In a nutshell, the 
definition here requires that the system behaves like an “ideal encryption service” 
under any usage pattern. Indeed, this requirement incorporates known security 
measures like CCA security, non-malleability, plaintext awareness, and security 
against dynamic adversaries. 



96 



Ran Canetti and Shafi Goldwasser 



The definition here takes a different approach than that of where thresh- 
old CCA-security is regarded as a natural extension of the standard definition of 
CCA-security to the context of threshold cryptosystems. In particular, security 
according to the definition here implies security according to the definition of 
m- (The converse does not hold in general.) 

For lack of space we only sketch the definition in this extended abstract. See 
m for full details on the definition and the relations with that of 



Outline of our definition. Following the approach used for defining security of 
general cryptographic protocols we proceed in three steps. First we 

formalize the model of computation and specify a syntax for threshold PKCs. 
Next we specify an idealized model where a threshold PKC is replaced with an 
“ideal encryption service” . Finally, we say that a threshold PKC is secure if it 
emulates the ideal service in a way described below. 



The computational model and threshold PKCs. There are n decryption 
servers S'i...s„, an encrypting user E and a decrypting user U. A threshold PKC 
consists of: 

A key generation module, that given the security parameter generates a public 
key, pk, known to all parties, and some secret key, sk^, known to each server Si] 
An encryption algorithm (run by E) that, given pk, a message m to be encrypted, 
and random input p, outputs a ciphertext c = ENCpk(m, p); 

A server decryption module that, when operating within server Si and given sk^ 
and a ciphertext c, possibly interacts with D and other servers and eventually 
generates a decryption share pp, 

A user decryption module (run by D) that, given a ciphertext c, interacts with 
the servers, and eventually outputs m = DECpk(c, pi, p,i...p,„). 

A run of the system consists of an invocation of the key generation module 
(at the end of which pk is made public and the secret keys are given to the 
corresponding servers), followed by an interaction among the parties via some 
standard model of distributed communication. (For simplicity assume ideally 
secure and authenticated communication links). The interaction is orchestrated 
by an adversary A who can invoke E and D on cleartexts and ciphertexts of its 
choice; in addition, A can corrupt D and up to t servers. (The corruptions are 
either static or dynamic. Corrupting D gives A access to the decrypted data.) We 
augment the model by allowing the adversary to freely interact with an addi- 
tional entity, called an environment machine Z. This (Turing) machine models the 
external environment, and in particular provides the adversary with arbitrary 
and interactive ‘auxiliary input’ throughout the run of the system. In particular, 
Z learns all the information learned by A (and, in general, can have additional 
information that is unknown to A.) 

We let the global output exeCt-,m, 2 of a run of a threshold PKC r with adver- 
sary A and environment Z be the concatenation of the output of all the parties, 
the adversary, and the environment machine. In particular, the global output reg- 
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isters all the encryption requests made to E, all the decryption requests made 
to D and each Si, and the resulting ciphertexts and cleartexts. 

The ideal encryption model. The ideal model consists of replacing the 
four modules of a threshold PKC with a trusted service T, parameterized by 
a threshold t, and a security parameter k. First T receives a description of a 
distribution T from the adversary (who is now called an ideal model adversary, 
s)E Next, the trusted party provides the following services: 

Ideal Encryption, where E hands T a message m to encrypt. In response, E 
receives a receipt c, chosen from distribution E independently of m. 

Ideal Decryption, where The servers can hand a receipt c to T. Once t servers 
have handed c to T, and if c was previously generated by T, then T hands D 
the message m that corresponds to c. Otherwise T ignores the request. 

A run of the system in the ideal model is orchestrated by the adversary in the 
same way as described above. 

Let the ideal global output ideaLj^^^^ be defined analogously to EXECr,A,z 
with respect to parties running in the ideal encryption model with ideal-model 
adversary S, where t is the trusted party’s threshold. 

Security of threshold PKCs. A threshold PKC r is called f-secure if it 
emulates the ideal encryption service, in the following way. For any adversary A 
there should exist an ideal model adversary S such that for any environment Z 
the global outputs iDEALt.5^2 and exeCt-,a ,2 are computationally indistinguish- 
able (when regarded as distribution ensembles) . We stress that the environment 
Z is the same in the real-life and ideal executions; that is, S can “mimic” the 
behavior of A in any environment. 

Replacing an ideal service. The quantification over all environments Z provides 
a powerful guarantee. In particular, it captures the interaction of any application 
protocol with the PKC in question. Consequently, this definition can be used to 
show the following attractive property of PKCs. Consider an arbitrary, multi- 
party ‘application protocol’ tt where, in addition to communicating over the 
specified communication channels, the parties have access to an ideal encryption 
service similar to the one described above. Let t be a PKC that meets the above 
definition, and let tt” be the protocol where each call to the ideal service is 
replaced, in the natural way, with an invocation of the corresponding module of 
r. Then tt” emulates tt, where the notion of emulation is similar to the one used 
above. See more details in m 

3 A Threshold Cryptosystem 

Our threshold cryptosystem is based on the Cramer-Shoup cryptosystem mi 
We first briefly review the (basic variant of the) Cramer-Shoup scheme, denoted 

Typically, F will be the distribution of an encryption of a random message in the 
domain, under a randomly chosen public key. 
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CS, and modify it as a step towards constructing the distributed scheme. Next 
we present the basic scheme and its extensions. 

The Cramer-Shoup scheme. Given security parameter k, the secret key is (p, gi, 
g2,xi,X2,yi,y2, z, H) where p is a /c-bit prime, gi,g2 are generators of a subgroup 
of hp of a large prime order q, function H is a, hash function chosen from a 
collision-resistant hash function family and xi,X2,yi,y2, z The public 

key is {p,gi,g2,c, d,h) where c = gi^g^^, d = pf and h = gf. 

It is assumed that messages are encoded as elements in Zg. To encrypt a 
message m choose r A Z, and let ENC(m,r) = (gl,g2,h^m,c''d^°‘), where a = 
H{gl,g2,h^rn). Decrypting a ciphertext (ui,U2,e,v) proceeds as follows. First 
compute v' = Next, perform a validity check: if u u' then 

output an error message, denoted ‘?’. Otherwise, output m = e/u\. Security 
of this scheme against CCA is proven, based on the decisional Difhe-Hellman 
assumption (DDH), in m- 

Towards a threshold scheme. We first observe that this scheme can be slightly 
modified as follows, without losing in security. If the decryptor finds v ^ v' then 
instead of outputting ‘?’ it outputs a random value in Z^. In a sense, the modified 
scheme is even “more secure” since the adversary does not get notified by the 
decryptor whether a ciphertext is valid. 

Next, modify this scheme further, as follows. The decryption algorithm now 
does not explicitly check validity. Instead, given (ui,U2,e,u) it outputs e/uf • 
(u'/u)®, where v' is computed as before and s ^ Zg. (Note that now the decryp- 
tion algorithm is randomized.) To see the validity of this modification, notice 
that a V = v' then (u/u')® = 1 for all s, and the correct value is output. If 
V ^ v' then the decryption algorithm outputs a uniformly distributed value in 
Zq, independent of m, as in the previous scheme. Call this scheme M-CS. 

Claim. If scheme CS is secure against CCA then so is scheme M-CS. 

Proof. Correctness of M-CS (i.e., correct decryption of correctly generated cipher- 
texts) clearly holds. To show security against CCA, consider an adversary A that 
wins in the ‘CCA-game’ (see against M-CS with probability non-negligibly 
more than one half. Construct the following adversary. A! that operates against 
CS. A! runs A, with the exception that whenever A! receives an answer ‘?’ from 
the decryption oracle it chooses r ^ Zg and gives r to A. Finally A' outputs 
whatever A does. The view of A! is distributed identically to its view in an in- 
teraction with M-CS, thus it predicts the bit b chosen by the encryption oracle 
of A! with probability non-negligibly more than one half. 

Verifying Validity of Ciphertexts. An apparent disadvantage of M-CS is that 
even a legitimate user of the decryption algorithm does not learn whether a 

^ In fact, H can be a target-collision-resistant hash function. The notation e ^ D 
means that element e is drawn uniformly at random from domain D. 
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ciphertext was valid. However, this information may be obtained in several ways: 
First, when applying the decryption algorithm twice to an invalid ciphertext, 
two independent random numbers are output, but if the ciphertext is valid then 
both applications output the same cleartext. Alternatively, valid cleartexts can 
be assumed to have a pre-defined format (say, a leading sequence of zeros) . The 
output of the decryption algorithm on an invalid ciphertext, being a random 
number, has the right format with probability that can be made negligibly small. 

On Remotely Keyed Encryption: As a side remark, one can trivially change CS 
and M-CS to qualify as a remotely-keyed-encryption scheme |3 secured against 
lunch-time attacks. Simply, drop d from the public key, and let ENC(m,r) = 
{g{,g2, c’')0Then the user sends to be decrypted remotely only (<7[, g2,K), 
dropping the third component of the ciphertext. To decrypt, the server who gets 
(ui,U2,v) computes v' = and sends p = back to the user. The 

user sets m = e ■ p. Clearly, the server got no information about m. A similar 
modification can be applied to the threshold PKC coming up in the next section, 
to obtain a remotely keyed threshold PKC secure against lunch time attacks. 



3.1 An Threshold Cryptosystem for Passive Server Faults 

The basic threshold scheme, denoted T-CS, distributes scheme M-CS in a straight- 
forward way. Let p, q, gi, g2 be as in the original scheme, and let t be the thresh- 
old. The scheme requires an additional parameter, L, specifying the number of 
decryption performed before the public and secret keys need to be refreshed. We 
first describe the scheme for the case where all serves follow their protocol. 

Key generation. For simplicity we assume a trusted dealer for this stage. This 
simplifying assumption can be replaced by an interactive protocol performed by 
the servers. This can be done using general multi-party computation techniques 
mm or more efficiently using techniques from |2Sj. Say that a polynomial 
P(^) = (mod q) is a random polynomial for a if oq = a and a\...ad 

Ijq. The dealer generates: 

• xi,X2,yi,y2, z Zq as in the original CS, and random degree t polynomials 

py^{),P^{) for xi,X2,yi,V2,z, respectively. 

• L values si...sl <— and random degree t polynomials P’^^ ()...P®^ () for them. 

• L random degree 2 t polynomials ()...P°^ () for the value 00 

Let Xjd = P^^ {i)- Let yj^, zt, si^t, oi^i be defined similarly. The secret key of server 
Si is now set to sk* = (p, g, 51, 32, X2,i, si,i...SL,*, oi,i...OL,*). The 

public key is identical to that of CS: pk = {p,q,gi,g2,c,d,h) where c = gi^g^^, 
d = gf pf , and h = gf. 

® This simplification was suggested in eg. 

® Looking ahead, we note that these values are needed to make sure that the partial 
decryptions are computed based on a random degree 2t polynomial. More specifically, 
these shares make sure that polynomial Q{) defined in Equation 0 below is a random 
degree 2t polynomial for the appropriate value. 
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Encryption is identical to CS: ENCpk(m, r) = where a = 

H{g{,g^2,h^rn). 

Decryption. Each server Si proceeds as follows, to decrypt the Rh ciphertext, 
(ui,U 2 ,e,v). First it computes a share v' of v', by letting = . 

Then it computes a share of rtf and a share g°‘’' of the value ‘1’. Next it 
computes and outputs the partial decryption^ 

The user module collects the partial decryptions fi-.-fn and computes the value 
/o = where the A^’s are the appropriate Lagrange interpolation coeffi- 

cients; that is, the Aj’s satisfy that for any degree 2t polynomial P() over we 
have P{0) — X)r=i Next, the user outputs m = e//o- 



Theorem 1. If the DDH assumption holds then T-CS is a t-seeure threshold 
eryptosystem for any t < ^, provided that even corrupted servers follow their 
protocol. 



Proof. See proof in m- Here we only verify that the output of the user’s de- 
cryption module is identical to the output of the decryption module in M-CS. 
Each partial decryption fi can be written as follows: 



Let ri = loggj^ ui (i.e., ri satisfies = wi), let V 2 = log^^ U 2 , and let r^ = 
loggi V- Then we have 

f ri-Zi—ri-si^iXi^i — ria-si.iyi.i — r2-si_iX2.i—r2a-si^iy2.i+r3-si^i+oi^i 

Ji — 9l 

Consequently, fi = gf^^^ where Q{) is the degree 2t polynomial: 

Q() = nP"() - ()P"i 0 - riQP”' ()P^i 0 - r2P“ ()P"^ 0 

- r2QP"‘ OP"'" 0 -f raP"' () -f P°‘ () 



It follows that 

_ ^*3(0) _ gri-z-ri-sixi-ria-siyi-r2-siX2-r2a-siy2+r3-si+0 _ _ (yfy'yi 

therefore ef fo = m ■ {v' fv)^'- . 

How to synchronize the s ’s. The above scheme may encounter synchronization 
problems when the servers receive the ciphertexts in different orders, and con- 
sequently associate shares of different s’s with the same ciphertext. A way for 
solving this problem is to have the servers agree on a bivariate polynomial H (x, y) 

^ Once the partial decryption is generated, the server erases the shares oyi,sri. This 
provision is important for proving security of the scheme against dynamic adversaries 
that may corrupt parties during the course of the computation. 
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of degree t va. x and degree L in y, where each server Pi holds the degree-m uni- 
variate polynomial Hi{y) = H[i, y). The value Si_c associated with the ciphertext 
c is computed as si^c = H(i, h(c) where h{) is a collision-resistant hash function 
that outputs numbers in Zg. It now holds that the first L ciphertexts will be as- 
sociated with L independent s’s, regardless of the relative order of arrival at the 
servers. (Ciphertext c will be associated with the value Sc = H{0,h{c)). Using 
bivariate polynomials for related purposes is common in the literature. The use 
here is similar to the one in [^. 

This method does not reduce the memory requirements from the servers, 
since each Hi has L + 1 coefficients. Furthermore, our proof of security against 
dynamic adversaries does not go through when this method is used. (Security 
against static adversaries remains unchanged.) 

In an alternative method (that allows the proof against dynamic adversaries 
to go through) the servers use a universal hash function h (not cryptographic, 
just avoiding collisions with high probability) to map the ciphertext c to an 
index i. Once an si has been utilized, erase it from the list H Note that universal 
hash functions suffice here, as it is in the interest of the encrypting party to 
prevent collisions in hashed ciphertexts. However, only a fraction of the s’s are 
used before collisions become frequent. 



On pseudorandomly generated s ’s. The need to prepare in advance the s’s and 
the o’s (i.e., the shared random values and the shares of the value 0) is a draw- 
back of our scheme. It raises an interesting open problem of whether it is possible 
to construct a non-interactive and efficient implementation of a threshold pseu- 
dorandom function (TPRF), namely a PRF family {fk} where the secret key k is 
shared by a number of servers so that the servers can jointly evaluate the func- 
tion, yet the function remains pseudorandom to an adversary who may control a 
coalition of some of the servers. For our scheme, we would need in addition that 
the shares of the servers of /fc(c) would correspond to the values of a degree-t 
polynomial whose free term is /fe(c). If such function family would exist, then 
instead of pre-sharing the random s’s, each server Si will, given a ciphertext c, 
set Si to be the fth share of /fe(c). (The shares of the value ‘0’ can be pseudo- 
randomly generated using similar methods.) 

In fact, a threshold pseudorandom generator (TPRG) will suffice for us and 
could possibly be easier to implement. In a TPRG suitable for our purpose, the 
seed to the generator would be shared among the servers. Each server would 
compute a point on a degree t random polynomial whose free term is the ith 
output block of the generator. 



In the event that a c' arrives s.t. h(c') = i for an Si that was previously used and 
erased, the server alerts the user to replace c' with c" (a perturbed c') and Sh(c") is 
used instead. 
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3.2 Achieving Robustness 

This section deals with protecting against actively faulty decryption servers. No- 
tice that since scheme T-CS is non-interactive then actively faulty servers cannot 
help the adversary in compromising the secrecy of encrypted messages that were 
not explicitly decrypted by the non-corrupted servers. The only damage that 
actively faulty servers can cause is denial of service. This is a lesser concern than 
secrecy, and in particular can usually be dealt with using external methods, 
such as notifying a higher-layer protocol or an operator. Still, we describe three 
methods for dealing with such active faults, as sketched in the Introduction. 

Local error correcting. The first method uses the fact that, as long as t < ^, 
the correct value /o is uniquely determined. This holds even if up to t of the 
fi’s are arbitrary elements in Let QO be the polynomial defined in Equation 
( 0 . Then at least n — t of the partial decryptions fi-.-fn satisfy fi = 
Furthermore, there exists only a single degree 2t polynomial that agrees with 
n — t of the fi’s. 

We describe below a method for finding /o = This method is efficient 

only when t = 0(^/n). We do not know how to efficiently find /o for larger values 
of t; this ‘error correction in the exponent’ is an interesting and general open 
problem with various applications for cryptographic protocols. In particular, 
standard error correction algorithms for Reed-Solomon codes I^DETl . which work 
when the perturbed Q(i)’s are explicitly given, do not seem to work here. 

Our simplistic method for finding the value /o = gf^^^ proceeds as follows. 
We first pick at random a set G = of d = 2t + 1 ffs, and check its 

validity using the appropriate Lagrange coefficients. That is, let A“...A^ be such 
that P{x) = X]fc=i AfeR(ife) for all polynomials P{) of degree 2t. (These A^’s 
are specific for x and for the set G.) Then, for each j = l..n we test whether 

fj = Say that s is valid if the test fails for at most t fj’s. We are 

guaranteed by the uniqueness of Q() that if G is valid then letting /o = 

yields the correct value. Furthermore, if Si is uncorrupted (and thus fi = 
for alH G G then G is valid. 

We thus repeatedly choose random sets of size 2f -|- 1 and check for validity. 
Each trial succeeds with probability J7(e“^‘ ^"). Thus when t = 0{yLn) we are 
guaranteed that a valid set G is found within a constant number of trials. (A 
similar argument is used in P)). When n is small — as would be the case for 
practical applications — this method is quite efficient. 

Interactive proofs of validity of partial decryptions. This method calls for the 
decrypting user to perform a (four-move) Zero Knowledge interaction with each 
of the servers to verify the validity of the partial decryptions. While making sure 
that neither corrupted servers nor a corrupted user gather more information 
(or, rather, more computational ability) than in the basic scheme (t-CS), these 
interactions guarantee that the user will almost never accept an invalid partial 
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decryption as valid. Once the interactions are done, the user interpolates /o as 
in the basic scheme, based on the acceded partial decryptions. We remark that 
the user need not always perform these interactions. It can first locally check 
validity (using terminology from the previous method) of the entire set {fi---fn} 
and interact with the servers only if {fi---fn} is found invalid. 

We use standard techniques for discrete-log based ZK proofs of membership 
and knowledge ^ill4libl40li6l8| . First the following verification information is 
added to the public key. (We stress that this information is not needed for 
encrypting messages; it is used only by the decrypting users.) For each server Si 
and each Z = 1 ..L we add: 



9i 



Sl,-. 

9i 



Sl,-. 

92 



oi, 

92 



Now, given the Zth ciphertext (ui,U2,e,v) server Si sends to the decrypting 
user, along with the partial decryption fi (computed as in T-CS), also the values 
u\ = u^’' and U2 = U2’' ■ Next, Si and the user U engage in the following 
interaction, whose purpose can be informally described as follows. Recall that 
a = H{u\,U2,e). Server Si proves to U that: 

1 . log,,^ Ml = logg^ gl^'' and log„^ 112 = log^^ ■ 

2. Si “knows” values wi, W2, M's, W4, W5 and xi,i,X2,i,yi,i,y2,i, such that: 

(a) Wi ■ W2 ■ W3 ■ W4 ■ W5 = fi 

(b) and 

(c) log„^ W3 = logg, gl' 

(d) log„ WA = logg^ g"f'' 

(e) logg^ws =logg^ff2'’'- 

The proof proceeds as follows. We describe the proof in two parts. These parts 
are performed in parallel. (In fact, U can use the same challenge for both proofs.) 
First, to prove item O a standard ZK proof of equality of discrete-logs m is 
performed: 

1 . U commits to a challenge c ^ 

2 . Si chooses ri,r2 Zg, and sends b\ = u\^ ,b2 = g\^ ,b^ = ,bA = g'^ to U. 

3 . U de-commits to c 

4 . Si sends ai = ri -I- csi,i and G2 = T2 + csi,i to U . 

5 . U accepts if = uf‘^ and g 1 ^ = and u,2^ = and 32^ = 52*’’'^**^ ■ 



The above interaction consists of two uni proofs, that use the same challenge. 
It can be seen that using the same challenge does not significantly increase the 
probability of error for the user. 

Next, to show item 0 above, server Si and user U engage in the following 
interaction (which is a combination of the above proof of equality of discrete 
logs, and a proof of “knowledge of a representation” from j 1 4 |l 5 ) (we use the 
formulation of 0 ). 

® Specifically, we use the Pedersen commitment scheme m- Here the parties may use 
two predetermined generators g, h of the subgroup of size q in Zp. The user commits 
to c by sending for a randomly chosen s in Zq. 
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1 . U commits to a challenge c It q, as before. 

2. Si chooses ri.-.ry A Z, and sends bi = 62 = U2°'u2°‘, 63 = 

b 4 = g?, h = be = h = g{\ bs = g^^ to U. 

3 . U de-commits to c. 

4 . Si sends ai = n -|- xi^iC, a2 = T2 + X2,iC, + yi^iC, ai = + ?/2,iC, 

ae = re + ZiC, ae = re + si^iC, = re + o^iC to U. 

5 . U accepts fi if and = g®*-’'^*'** and g^'^ = and 

= f^bib 2 b 3 bebr. ( 3 ) 

The above interaction combines three uni proofs of equality of discrete loga- 
rithms with two nnn] proofs of knowledge of representation. In addition to 
using the same challenge, here the verifier’s acceptance conditions of the five 
proofs are combined in a single product ( 0 . This allows the verifier to check 
the validity of the product ft without knowing the individual Wi’s. Correct- 
ness of this interaction is based on the fact that if Si ‘knows’ representations 
= Ui^’^U2^’' and then the values xi^i,X2,i,yi^i,y2,i must 

be the ones from S'i’s secret key (otherwise a knowledge extractor for Si can be 
used to find the index of (72 w.r.t. gi). 

User U decides that fi is valid if it accepted fi in both of the above inter- 
actions. Finally, U proceeds to compute /o and m based on the valid ffs, as in 
the basic scheme. Let i-CS denote this interactive variant of T-CS. 

Theorem 2 . If the DDH assumption holds then i-CS is a t-robust threshold 
cryptosystem for any t < 

The proof combines the simulation technique from the proof of Theorem Q with 
the proofs of the protocols of . We omit details from this version. (Here 

we only withstand static adversaries.) We remark that the protocols described 
here do not withstand asynchronously concurrent interactions between a cor- 
rupted user and the servers. This problem can be solved once general mechanisms 
for efficiently dealing with the concurrency problem are provided. 
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Abstract. We present the first efficient statistical zero-knowledge pro- 
tocols to prove statements such as: 

— A committed number is a prime. 

— A committed (or revealed) number is the product of two safe primes, 
i.e., primes p and q such that (p — l)/2 and (q — l)/2 are prime. 

— A given integer has large multiplicative order modulo a composite 
number that consists of two safe prime factors. 

The main building blocks of our protocols are statistical zero-knowledge 
proofs of knowledge that are of independent interest. We show how to 
prove the correct computation of a modular addition, a modular multi- 
plication, and a modular exponentiation, where all values including the 
modulus are committed to but not publicly known. Apart from the va- 
lidity of the equations, no other information about the modulus (e.g., a 
generator whose order equals the modulus) or any other operand is ex- 
posed. Our techniques can be generalized to prove that any multivariate 
modular polynomial equation is satisfied, where only commitments to 
the variables of the polynomial and to the modulus need to be known. 
This improves previous results, where the modulus is publicly known. 
We show how these building blocks allow to prove statements such as 
those listed earlier. 



1 Introduction 

The problem of proving that a number n is the product of two primes p and 
q of special form arises in many recently proposed cryptographic schemes (e.g., 
mmm) whose security is based on both the infeasibility of computing discrete 
logarithms and of computing roots in groups of unknown order. Such schemes 
typically involve a designated entity that knows the group’s order and hence 

* BRIGS - Basic Research in Gomputer Science, Genter of the Danish National Re- 
search Foundation. 

** Part of this work was done while this author was with Ubilab, UBS, Switzerland. 
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is able to compute roots. Although the other involved entities must not learn 
the group’s order, nevertheless, they want to be assured that it is large and not 
smooth, i.e., that computing discrete logarithms is infeasible to the designated 
entity as well. An example of groups used in such schemes are subgroups of Z*. 
Here, it suffices that the designated entity proves n to be the product of two safe 
primes, i.e., primes p and q such that {p — l)/2 and (g — l)/2 are prime. More 
precisely, if n is the product of two safe primes p and q and ^ 1 (mod n) 
and gcd(a^ — l,n) = 1 holds for some a (which the verifier can check easily), 
then a has multiplicative order {p — l){q — l)/4 or {p— l)(g — l)/2 [23 ■ Another 
example are elliptic curves over Z„. In this case, n is required to be the product 
of two primes p and q such that {p + l)/2 and (g + l)/2 are prime |2S|. Finally, 
standards such as X9.31 require the modulus to be the product of two primes p 
and g, where {p — l)/2, {p + l)/2, (g — 1)/^ and (g + l)/2 have a large prime 
factor that is between 100 and 120 bit [tlojH . Previously, the only way known 
to prove such properties was applying inefficient general zero-knowledge proof 
techniques (e.g., mm)- 

In this paper we describe an efficient protocol for proving that a commit- 
ted integer is in fact the modular addition of two committed integer modulo 
another committed integer without revealing any other information whatsoever. 
Then, we provide similar protocols for modular multiplication, modular expo- 
nentiation, and, more general, for any multivariate polynomial equation. Pre- 
viously known protocols allow only to prove that algebraic relations modulo 
a publicly known integer hold IHI 911611^1 . Furthermore, we present an efficient 
zero-knowledge argument of primality of a committed number and, as a conse- 
quence, a zero-knowledge argument that an RSA modulus n consists of two safe 
primes. The additional advantage of this method is that only a commitment to 
n but not n itself must be publicly known. If the number n is publicly known, 
however, more efficient protocols can be obtained by combining our techniques 
with known results which are described in the next paragraph. 

A number of protocols for proving properties of composite numbers are found 
in literature. Van de Graaf and Peralta provide an efficient proof that a given 
integer n is of the form n = p’^g®, where r and s are odd, p and g are primes and 
p = q = 3 (mod 4). A protocol due to Boyar et al. 0 allows to prove that a 
number n is square-free, i.e., there is no prime p with p\n such that p^\n. Hence, 
if both properties are proved, it follows that n is the product of two primes p and 
g, where p = q = 3 (mod 4) . This result was recently strengthened by Gennaro 
et al. m who present a proof system for showing that a number n (satisfying 
certain side-conditions) is the product of quasi-safe primes, i.e., primes p and 



^ However, it is unnecessary to explicitly add this requirement to the RSA key gener- 
ation. For randomly chosen large primes, the probability that {p — l)/2, (p -|- l)/2, 
(g — l)/2, and (g-|- l)/2 have a large prime factor is overwhelming. This is sufficient 
protection against the Pollard p — 1 and Williams p + 1 factoring methods E2E3- 
Moreover, an efficient proof that an arbitrarily generated RSA modulus is not weak 
without revealing its factors seems to be hard to obtain as various conditions have 
to be checked (e.g., see 0). 
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q for which (p — l)/2 and (q — l)/2 is a prime power. However, their protocol 
can not guarantee that (p — l)/2 and (q — l)/2 are indeed primes which is what 
we are aiming for. Finally, Chan et al. El and Mao m provide protocols for 
showing that a committed number consists of two large factors, and, recently, 
Liskov & Silverman describe a proof that a number is a product of two nearly 
equal primes . 

2 Tools 

In the following we assume a group G = {g) of large known order Q and a second 
generator h whose discrete logarithm to the base g is not known. We define the 
discrete logarithm of y to the base g to be any integer x such that y = g^ holds, 
in particular discrete logarithms are allowed to be negative. Computing discrete 
logarithms is assumed to be infeasible. 

2.1 Commitment Schemes 

Our schemes use commitment schemes that allow to prove algebraic properties 
of the committed value. There are two kinds of commitment schemes. The first 
kind hides the committed value information theoretically from the verifier (un- 
conditionally hiding) but is only conditionally binding, i.e., a computationally 
unbounded prover can change his mind. The second kind is only computation- 
ally hiding but unconditionally binding. Depending on the kind of the commit- 
ment scheme employed, our schemes will be statistical zero-knowledge arguments 
(proofs of knowledge) or computational zero-knowledge proof systems. Cramer 
and Damgard m describe a class of commitment schemes allowing to prove 
algebraic properties of the committed value. It includes RSA-based as well as 
discrete-logarithm-based schemes of both kinds. For easier description of our 
protocols, we will use a particular commitment scheme which is due to Pedersen 
A value a G Zq is committed to by Cq := g°^hZ , where r is randomly chosen 
from Zq. This scheme is unconditionally hiding and computationally binding, 
i.e., a prover able to compute log^ h can change his mind. Therefore our protocol 
will be statistical zero-knowledge proofs of knowledge (or arguments) . However, 
our protocols can easily be adapted to work for all the commitment scheme 
exposed in nni. 

2.2 Various Proof-Protocols Found in Literature 

We review various zero-knowledge protocols for proving knowledge of and about 
discrete logarithms and introduce our notation for such protocols. 

Proving the knowledge of a discrete logarithm x of a group element y to a base 
g jiaidbj . The prover chooses a random r Gr Zq and computes t := g'" and 
sends t to the verifier. The verifier picks a random challenge c Gr {0,1}^ and 
sends it to the prover. The prover computes s := r — cx (mod Q) and sends 
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s to the verifier. The verifier accepts, if <7®?/° = t holds. This protocol is an 
honest-verifier zero-knowledge proof of knowledge if fc = 0 (poly (log Q)) and 
a zero-knowledge proof of knowledge if fc = 0(loglog((3)) and when serially 
repeated 0 (poly(logQ)) times. This holds for all other protocols described in 
this section (when not mentioned otherwise). Adopting the notation in 0 , we 
denote this protocol by PK{{a) : y = 5“}, where PK stands for “proof of 
knowledge” . 

Proving the knowledge of a representation of an element y to the bases gi, . . . ,gi 
|.'1I1 ‘Jj - i.e., proving the knowledge of integers x\,. . . ,xi such that y = 9i'- 

This protocol is an extension of the previous one with respect to multiple bases. 
The prover chooses random integers ri, . . . , r/ Gfi Zq, computes t := n!=i 51 % 
and sends the verifier t. The verifier returns her a randomly picked challenge 
c Gr { 0 , 1 }^. The prover computes Si := ri — cXi (mod Q) for z = 1 , . . . ,l and 
sends the verifier all sfs, who accepts, if t = 5 ‘^rij=i 5 i' holds. This protocol 
is denoted by PK{{ai,... ,ai) : y = OLi 5 *“'}- 

Proving the equality of the discrete logarithms of elements y\ and 2/2 to the bases 
g and /i, respectively Let yi = g^ and y2 = h^ ■ The prover chooses a 
random r G Zq, computes t\ := := Id", and sends ti,t2 to the verifier. 

The verifier picks a random challenge c G { 0 , 1 }^ and sends it to the prover. 
The prover computes s := r — cx (mod Q) and sends s to the verifier. The 
verifier accepts, if g^yl = ti and h^y2 = ^2 holds. This protocol is denoted by 
PK{{a) : 2/1 = A 2/2 = fc“}. Note that this method allows also to prove that 
one discrete log is the square of another one (modulo the group order), e.g., 
PK{{a) : 2/1 = A 2/2 = yf}- 

Proving the knowledge of (at least) one out of the discrete logarithms of the ele- 
ments 2/1 and 2/2 to the base g (proof of OR) j l 71 J 4 ) . W.l.o.g., we assume that 
the prover knows x = log^ 2/1- Then ri, S2 Gr Zq, C2 Gr { 0 , 1 }^ and computes 
ti := 22”^, ^2 := g^^TJ2^ and sends t\ and ^2 to the verifier. The verifier picks a 
random challenge c G { 0 , 1 }^ and sends it to the prover. The prover computes 
Cl := c 0 C2 and si := ri — c\x (mod Q) (where © denotes the bit-wise XOR 
operation) and sends si,S2)Ci, and C2 to the verifier. The verifier accepts, if 
Cl © C2 = c and ti = g’^'yf holds for i G { 1 , 2 }. This protocol is denoted by 
PK{{a,f 3 ) : 2/1 = 5“ V 2/2 = 5^}- This approach can be extended to an effi- 
cient system for proving arbitrary monotone statements built with A’s and V’s 

|T7mj . 

Proving the knowledge of a discrete logarithm that lies in a given range, that is, 
2^1 _ 2^2 ^ loggP < 2^1 + 2 ^^, for some parameters and £2- (The parameter 
2 ^^ acts as an offset and can also chosen to be zero.) In principle, this statement 
can be proved by first committing to every bit of a; = log^ y and then showing 
that the committed values are either a 0 or a 1 and constitute the binary 
representation of x. This method is linear in the number of bits of x. A more 
efficient but only statistical zero-knowledge protocol can be obtained from the 
basic protocol proving the knowledge of log^ y by restricting the verifier to 
binary challenges and by requiring the prover ’s response s to satisfy 2 ^^ — 
2®^2+i < g < 2^1 + 2 ®^^+^, where e > 1 is a security parameter. Now, when 
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considering how the knowledge extractor can compute an x = log^ y from two 
accepting protocol views with the same first message, it can be concluded that 
the prover must know an x = log^ y such that 2^^ — < x < 2^^ + 

holds Cl- We denote this protocol by 

PK{{a) : y = A 2^1 - 2^^ < a < 2^^ + 2^'=}, 

where £2 denotes e^ 2+2 (we will stick to that notation for the rest of the paper). 
For more details on this protocol we refer to Finally, the restriction to 

binary challenges can be dropped if the order of the group is not known to 
the prover (e.g., if a subgroup of an RSA-ring is used) and when believing in 
the non-standard strong RSA-assumptior0 11811 HI . Although we describe our 
protocols in the following in the setting where the group’s order is known to 
the prover, all protocols can easily be adapted to the case where the prover 
does not know the group’s order using the techniques from 1 1811 HI . 



All described protocols can be combined in natural ways. First of all, one can use 
multiple bases instead of a single one in any of the preceding protocols. Then, 
executing any number of instances of these protocols in parallel and choosing the 
same challenges for all of them in each round corresponds to the A-composition 
of the statements the single protocols prove. Using this approach, it is even 
possible to compose instances according to any monotone formula H3E3). In the 
following we will use of such compositions without having explained the technical 
details involved for which we refer to 
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3 Secret Computations with a Secret Modulus 

The goal of this section is to provide an efficient protocol to prove that = d 
(mod n) holds for some committed integers without revealing the verifier any 
further information (i.e., the protocol is zero-knowledge). A step towards this 
goal are protocols to prove that a committed integer is the addition or the 
multiplication of two other committed integers modulo a third committed integer 
n. 

The algebraic setting is as follows. Let i be an integer such that —2^ < 
a, b,d,n < 2^ holds and e > 1 be security parameter (cf. SectionEI). Furthermore, 
we assume that a group G of order Q > 2^*^^+® (= 2^^+^) and two generators g 
and h are available such that log^ h is not known. This group could for instance 
be chosen by the prover in which case she would have to prove that she has 
chosen it correctly. Finally, let the prover’s commitments to a, b, d, and n be 
Ca := Cb := Cd ■= g‘^h'^^, and c„ := g'^h'^*, where ri, X 2 , r^, and r 4 

are randomly chosen elements of Zq. 

^ The strong RSA assumption states that there exists a probabilistic polynomial-time 
algorithm G that on input outputs an RSA-modulus n and an element 2 ; £ 
such that it is infeasible to find integers e ^ { — 1, 1} and u such that z = u'^ (mod n). 
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3.1 Secret Modular Addition and Multiplication 

We assume that the verifier already obtained the commitments Ca, Cb, Cd, and 
Cn ■ Then the prover can convince the verifier that a + b = d (mod n) holds by 
sequentially running the protocol denotec0 by 

«S'+ PA{(a,/3,7, 5, e, C, A) : Ca = g°‘h^ A (— 2^ < a < 2^) A 

Cb = A (-2^' < 7 < 2^) A Cd = g‘^h< A (-2^' < e < 2^) A 
Cn = g'^h^ A {-2^<g<2^) A -^ = clh^ A (-2^' < tt < 2^)} 

k times. Alternatively, she can convince the verifier that ab = d (mod n) holds 
by running the protocol 

S'* := PA{(o,/3,7, 0,1) : Ca = g°‘h^ A (-2^ < a < 2^) A 

Cb = g'yh^ A (-2^' < 7 < 2^) A Cd = g‘^h< A (-2^' < e < 2^) A 
c„ = A (-2^' < ry < 2^') A Cd = A (-2^' < £- < 2^')} 

k times with him. 

Remark. In some applications the prover might be required to show that n has 
some minimal size. This can by showing that r] lies in the range 2^^ — 2 ^^<rj< 
2^1 _|_ 2^2 instead of —2^ < rj < 2 ^ for some appropriate values of £i and £2 (cf. 
Section E3)- 

Theorem 1. Let a, b, d, and n be integers that are committed to by the prover 
as described above and assume computing discrete logarithms in G is infeasible. 
Then the protocol S+ is a statistical zero-knowledge argument that a -\- b = d 
(mod n) holds. Furthermore, the protocol S» is a statistical zero-knowledge ar- 
gument that ab = d (mod n) holds. The soundness error probability for both 
protocols is 2“^. 

Proof. The statistical zero-knowledge claims follows from the statistical zero- 
knowledgeness of the building blocks. 

Let us argue why the modular relations among the committed integers hold. 
First, we consider what the clauses prove that S'+ and 5* have in common. 
Running the prover with either protocol (and using standard techniques), the 
knowledge extractor can compute integers a, b, d, h, fi, £2, £3, and £4 such 
that Ca = g°‘h'^y, Cb = g^h^^, Cd = g^h^^, and c„ = g^h^^ holds. Moreover, 
- 2 ^ < d < 2 \ - 2 ^ <b < 2^’, -2^' < d < 2 \ and - 2 ^ < h < 2 ^ holds for these 
integers. 

When running the prover with S'+, the knowledge extractor can further com- 
pute integers £5 G Zg and u with — 2 ^ < u < 2 ^ such that Cd/{caCb) = c'fh'~^ 
holds. Therefore, we have g^-°^-^hL3-ri-T2 _ guuj.^ur4,+r5 hence, provided 
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logg h is not known, we must have d = d + b + ufi (mod Q). Thus we have 

d = d + b + ufi + wQ for some integer w. Since 2^^+^ < Q and due to the con- 
straints on a, b, d, n, and u, we can conclude that the integer w must be 0 and 
so d = d + b (mod fi) must hold. 

Now consider the case when running the prover with S^. In this case the 
knowledge-extractor can additionally compute integers G Zq and v with 
-2^' < V < 2^ such that Cd = and thus 

holds. Again, assuming that log^ h is not known, we have d= db + vn (mod Q). 

As before, due to 2^^+^ < Q and the constraints on a, 6, d, n, and i) we can 
conclude that d = db (mod n) must hold for the committed values. □ 

3.2 Secret Modular Exponentiation 

We now extend the ideas from the previous paragraph to a method for proving 
that = d (mod n) holds. Using the same approach as above, i.e., having the 
prover to provide a commitment to an integer d that equals (in Z ) and proving 
this, would required that G has order about 2^^ and thus such a protocol would 
become rather inefficient. A more efficient protocol is obtained by constructing 
(mod n) step by step according to the square & multiply algorithrrQ committing 
to all intermediary results, and then prove that everything is consistent. This 
protocol is exposed in the following. We assume that an upper-bound £;, < £ on 
the length of b is publicly known. 

1. Apart from her commitments Ca, Cb, Cd, and c„ to a, b = bi2^, d, and 

n, the prover must commit to all the bits of b: let Cb^ '■= with fi 

Zq for i G {0, ... ,ib — 1}. Furthermore she needs to provide commitments 
to the intermediary results of the square & multiply algorithm: let Cy. := 

(mod n))j^ri ^ (z = 1, . . . ,£{, — !), be her commitments to the powers of a, 
i.e., o? (mod n), where fi Gr Zq, and let := (z = 0, . . . — 2), 

where Ui := Ui_i(a^ )*• (mod n), (z = 1, . . . , — 2), uq = (mod n), and 

fi Sfl Zq. The prover sends the verifier all these commitments. 

2. To prove that = d (mod n) holds, they carry out the following protocol 
k times. 

:= Fa| (a, /3, X, 7, <5, e, C, (A*, fZi, n, 'di, (^i, (ttz, ft) : 



c„ = g^h^ A -2^ < a < 2^ A (1) 

Cd = g'^h^ A -2^' < 7 < 2^' A (2) 

Cn = g"h‘^ A -2^ < e < 2^ A (3) 

{Y[4])/cb = h^ ( 4 ) 

2=0 



^ In practice a more enhanced exponentiation algorithm might be used (see, e.g., ca), 
but one should keep in mind that it must not leak additional information about the 
exponent. 
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A ... A A 



( 5 ) 



A Cy^= c^ld^h^'^ A ... A A (6) 

-2^' < Ai < 2^ A . . . A -2^' < A^-i < 2^' A (7) 

-2^ < 1/1 < 2^ A . . . A -2^ < j/4_i < 2^' A (8) 

A ... A a (9) 

-2^' < 7Ti < 2^' A . . . A -2^' < 7T4_2 < 2^' A (10) 

(^(cbo = h‘^° A c„o/g = /i^“) V {cbjg = A c„„/ca = A (11) 

(^(cfei = A Cu^jcuo =h'"^) V (12) 

(cbjg = h^^ A Cu^ = A -2^ < v?i < 2^)^ A ... A 

^(chj^_2 = ^ ^ ^Ui^_2l Cui^_3 = ^ *) V (13) 

(cfc,,_2/5 = A A -2^ < v54_2 < 2^)) A 

((ch,^_i = A Cdlcut^_2 = h'"') V (14) 

{cb,^_Jg=h^‘»-- A Cd = ct‘;-_yn^-"h^‘>--^ A -2^'<(^4_i <2^))} 



Let us now explain why this protocol proves that = d (mod n) holds and 
consider the clauses of sub-protocol . What the Clauses UH3 prove should be 
clear. The Clause El shows that the c;,. ’s indeed commit to the bits of the integer 
committed to in Cb (that these are indeed bits is shown in the Clauses fm j l 4j) . 
From this it can further be concluded that Cb commits to a value smaller than 2^'’ . 
The ClausesEHSIprove that the ’s indeed contain (mod n) (cf. Sectionl^^. 
Finally, the Clauses E1^3 show that Cu . ’s commit to the intermediary results of 
the square & multiply algorithm and that Cd commits to the result: The Clauses 0 
andE3 show that the c„^ ’s commit to integers that lie in { — 2^ -|- 1 , . . . , 2^ — 1 } (for 
CuQ this follows from ClauseEJ. Then, Clause proves that either Cb^ commits 
to a 0 and c„g commits to a 1 or Cb^ commits to a 1 and Cug commits to the same 
integer as Cq. The Clauses El and El show that for each z = 1, . . . ,ib — 2 either 
Cbi commits to a 0 and Cm commits to same integer as or Cb^ commits to 

a 1 and c„. commits to the modular product of the value commits to and 
of (mod n) (which Cy. commits to). Finally, Clause proves (in a similar 
manner as the Clauses [Q and ^3) that Cd commits to the result of the square & 
multiply algorithm and thus to o** (mod n). 



Theorem 2. Let Ca, Cb, Cd, and Cn be eommitments to integers a, b, d, and n 
and let Cbg,... ,Cbf_g,Cy^,... , Cug, ■ ■ ■ ,Cui ^_2 be auxiliary eommitments. 

Then, assuming eomputing discrete logarithms in G is infeasible, the protocol 
is a statistical zero-knowledge argument that the equation of = d (mod n) holds. 
The soundness error probability is 2~^. 
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Proof. The proof is straight forward from TheoremQand the explanations given 
above that Cfco . . . , c„o, . . . , 2, S' implement the square 

& multiply algorithm step by step. □ 

In the following, when denoting a protocol, we refer to the protocol S| by 
adding a clause like = 7 (mod 6)) to the statement that is proven and 
assume that the prover sends the verifier all necessary commitments; e.g., 

/3, 7, 5, d, /3, 7, 5) : Ca = A Cb = g^h^ A Cd = g'^h^ A 

Cn = g^h^ A (a^ = 7 (modi5))|. 



3.3 Efficiency Analysis 

We assume that G is chosen such that group elements can be represented with 
about logQ bits. For both S+ and S* the prover and the verifier both need 
to compute 5 multi-exponentiations per round. The communication per round 
is about 10 log Q + 5e.^ bits in case of «S'+ and S*. In case of the prover 
and the verifier need to compute about 7£{, multi-exponentiations per round. 
Additionally, the prover needs to compute about multi-exponentiations in 
advance of the protocol (these are the computations of the commitments to the 
intermediary results of the square & multiply algorithm). The communication 
cost per round is about 14£{, log Q + Mtei bits and an initial group element 
which are the commitments to the intermediary results of the square & multiply 
algorithm. 



3.4 Extension to a General Multivariate Polynomial 

Let us outline how the correct computation of a general multivariate polynomial 
equation of form 

i t 

f{xi,. .. . . . ,hi,t,n) II ® 

i=i j=i 

can be shown, where all integers x\^. . . ,Xt,a\, . . . ,ai, 614 , . . . , bi^, and n might 
only given as commitments: The prover commits to all the summands si := 
oi rij=i (mod n), . . . , s/ := a/ Y[]=i (mod n) and shows that the sum 
of these summands is indeed zero modulo n. Then, she commits to all the product 
terms := x^^’^ (mod n), . . . ,pt^i := x’^‘’*' (mod n) of the product and shows 
that Si = cLiYl*j^iPi,j (mod n). Finally, she shows that pij = (mod n) 
(using the protocol S'!) and that for all i the same xj is in pij. This extends 
easily to several polynomial equations, where some variables appear in more 
than one equation. 
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4 A Proof that a Secret Number Is a Prime 

In this section we describe how a prover and a verifier can carry out a pri- 
mality test for an integer hidden in a commitment. Some primality tests reveal 
information about the structure of the prime and are hence not suited unless 
one is willing to expose this information. Examples of such tests are the Miller- 
Rabin test or the one based on Pocklington’s theorem. A test that does 

not reveal such information is due to Lehmann izq and described in the next 
subsection. 

4.1 Lehmann’s Primality Test 

Lehmann’s test is variation of the Solovay-Strassen m primality test and based 
on the following theorem m 

Theorem 3. An odd integer n > 1 is prime if and only if 

= ±1 (mod n) and 3a G Z* : = —1 (mod n) . 

This theorem suggest the following probabilistic primality test m 

— Choose k random bases ai, . . . , Cfc G Z*, 

— check whether = ±1 (mod n) holds for all i’s, and 

— check whether a\"' = —1 (mod n) if true for at least one i G {1, . . . , k}. 

The probability that a non-prime n passes this test is at most 2“^, and that a 
prime n does not pass this test is at most 2“^ as well. Note that in case n and 
(n — l)/2 are both odd, the condition that = —1 (mod n) holds for at 

least one i can be omitted. In this special case of Lehmann’s test is equivalent 
to the Miller-Rabin test m and the failure probability is at most 4 

4.2 Proving the Primality of a Committed Number 

We now show how the prover and the verifier can apply Lehmann’s primality 
test to a number committed to by the prover such that the verifier is convinced 
that the test was correctly done but does not learn any other information. The 
general idea is that the prover commits to t random bases (of course, the 
verifier must be assured that the afs are chosen at random) and then proves 
that for these bases a|” = ±1 (mod n) holds. Furthermore, to conform with 

the second condition in Theorem 0 the prover must commit to a base, say a, 
such that = — 1 (mod n) holds. 

Let £ be an integer such that n < 2^ holds and let e > 1 be a security param- 
eter. As in the previous section, a group G of prime order Q > and two 

generators g and h are chosen, such that log^ h is not known. Let c„ := g^h^^ 
with G_r Zq be the prover ’s commitment to the integer on which the primal- 
ity test should be performed. 

The following four steps constitute the protocol. 



Proving that a Number Is the Product of Two Safe Primes 



117 



1. The prover picks random ai Gr for i = 1, . . . ,t and commits to them as 

Cat '■= with Tai Gr Zq for i = 1, . . . ,t. She sends Ca^, ■ ■ ■ , Cat the 

verifier. 

2. The verifier picks random integers — 2^ < Oi < 2^ for i = 1, . . . ,t and sends 
them to the prover. 

3. The prover computes := hi + hi (mod n), Cat '■= with rat Gfl 

di := (mod n), and Cdt ■= with Gr Ijq for all i = 

1,... ,t. Moreover, the prover commits to (n — l)/2 by Cf, := 
with rjj Gr Zq. Then the prover searches a base a such that = — 1 

(mod n) holds and commits to a by cg := g°'h'^^ with ra Gr Zq. 

4. The prover sends Cb, ca, Ca^ , . . . ,Cat,Cdi,--- , Cdt to the verifier and then they 



carry out the following (sub-)protocol k times. 

Sp := PK I (a, P, 7 , r, g, w, (5,, Si, Ci,Vi, tt;, ft, Ki, Pi)\=i) ■ 

Cb = g°^h^ A -2^' < a < 2^' A (15) 

c„ = g''h^ A -2^' <v<2^ A (16) 

clglcn = h'^ A (17) 

Ca = g^h‘^ A (p“ = —1 (mod i/)) A (18) 

Cdi=g^^h^^ A... A cdt=g^*h^* A (19) 

Cai = g^^ ci^ A ... A ca, /g“‘ = cl‘ A (20) 

-2^' <5i<2^ A ... A -2^' < (5t < 2^' A (21) 

-2^' < Cl < 2^' A ... A -2^ <Ct< 2^ A (22) 

Cai A ... A Ca, = A (23) 

(cdi/g = V Cd^g = A ... A (cdj/g = h’’* V = h’’*) A (24) 
Cdt=g^^h^^ A... A Cdt=g^*kP’* A (25) 



(e“ = /ii (mod 1 ^)) A ... A (e“ = fit (mod i^)) | (26) 

Let us analyze the protocol. In Step 1 and 2 of the protocol, the prover 
and the verifier together choose the random bases oi, . . . ,at for the primality 
test. Each base is the sum (modulo n) of the random integer the verifier chose 
and the one the prover chose. Hence, both parties are ensured that the bases 
are random, although the verifier does not get any information about the bases 
finally used in the primality test. That the bases are indeed chosen according 
to this procedure is shown in the Clauses El-ESl of the sub-protocol Sp , where 
the correct generation of the random values a^, committed in Ca^, is proved. 
The Clauses miTTI prove that indeed (n — 1) /2 is committed in Cb and the 
Clause [El shows that there exists a base a such that = — 1 (mod n). In 

the Clause it is shown that the values committed in c^. are either equal to 
— 1 or to 1. Finally, in Clause EEI (together with the Clauses [El [El 123 and ESI 
it is proved that = di (mod n), i.e., (mod n) G {—1,1} and 

thus the conditions that n is a prime with error-probability 2“* are met. 
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Note that all modular exponentiations in Clause ESI have the same b and n 
and hence the proofs for these parts can be optimized. In particular, this is the 
case for the Clauses HI and HIHIII in S^. 

Theorem 4. Assume computing discrete logarithms in G is infeasible. Then, 
the above protocol is a statistical zero-knowledge argument that the integer com- 
mitted to by Cn is a prime. The soundness error probability is at most 2“^ + 2“‘. 

Proof. The proof is straight forward from the Theorems H El and 0 □ 

In the sequel, we abbreviate the above protocol by adding a clause such as 
a S primes(t) to the statement that is proven, where t denotes the number of 
bases used in the primality test. 

Remark. If (n — l)/2 is odd and the prover is willing to reveal this, she can 
additionally prove that she knows x and tp such that Cbf g = {g‘^)^h'^ and —2^ < 
X < 2^ holds and skip the Clause This results in a statistical zero-knowledge 
proof that n of form n = 2w -I- 1 is prime and w is odd with error-probability at 
most 2“^b 

4.3 Efficiency Analysis 

Assume that the commitment to the prime n is given. Altogether t-|- 1 protocols 
that a modular exponentiation holds are carried out where the exponents are 
about logn bits. Thus, prover and verifier need to compute about 7tlogn multi- 
exponentiations per round each. Additionally, the prover needs to compute about 
2tlogn multi-exponentiations for the commitments to the intermediary results 
of the square & multiply algorithm. (Note that the exponents in ClauseE^ is the 
same in all relations and hence the commitments to its bits need to be computed 
only once.) The communication cost per round is about 14tlognlogQ-|-4tlogne£ 
bits and an initial 2tlogn group elements which are the commitments to the 
intermediary results of the square & multiply algorithm and the commitments 
to the bases of the primality test. 

5 Proving that an RSA Modulus Consists of Two Safe 
Primes 

We finally present protocols for proving that an RSA modulus consists of two 
safe primes. First, we restrict ourselves to the case where not the modulus but 
only a commitment to it is not known to the verifier. Later, we will discuss 
improvements for cases when the RSA modulus is known to the verifier. 

5.1 A Protocol for a Secret RSA Modulus 

Let 2^ be an upper-bound on the length of the largest factor of the modulus 
and let e > 1 be a security parameter. Furthermore, a group G of prime order 
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Q > and two generators g and h are chosen, such that log^ h is not known 

and computing discrete logarithms is infeasible. Let c„ := be the prover’s 

commitment to an integer n, where she has chosen r„ Zg, and let p and q 
denote the two prime factors of n. The following is a protocol that allows her to 
convince the verifier that c„ commits to the product of two safe primes. 

1 . The prover computes the commitments Cp := g^h^^, cp := , Cq := 

g'^h'^’’, and cp := with rp,rp,rq,rq Gn Zg and sends all these 

commitments to the verifier. 

2 . The two parties sequentially carry out the following protocol k times. 



S51 := PK{{a, / 3 , 7, S, g, u, y, e, C, ??) : 

Cp = g°‘h^ A Cq = g"'h^ A Cp = g^h’^ A Cq = g^h^ A (27) 

Cp/(c|g) = /i® A Cql(c~g) = h‘^ A Cn = A (28) 

a G primes(t) A 7 G primes(t) A (29) 

g G primes(t) A ^ G primes(f)} , (30) 



where t denotes the number of bases used in Lehmann’s primality tests. (The 
length conditions on 0 , 7 , g, and ^ are shown in the primes(t)-parts of the 
protocol.) 

Theorem 5. Assume computing discrete logarithms in G is infeasible. Then, 
the above protocol is a statistical zero-knowledge argument that the integer com- 
mitted to by Cn is the product of product of two integers p and q andp, q, (p—l)/2 
and {q — l )/2 are primes. The soundness error probability is at most 2~^ + 2 “‘. 

Proof. The proof is straight forward from the Theorems Q El and n □ 

The computational and communication costs of this protocol are reigned 
by the primality-protocols and thus about four times as high as for a single 
primality-protocol (cf. Subsection 14. dll . 

5.2 A Protocol for a Publicly Known RSA Modulus 

In cases the number n is publicly known and fulfills some side-conditions (see 
below), much less rounds of the Lehmann test will be sufficient if the prover 
and the verifier first run the protocol due to Gennaro et al. |22j (which includes 
the protocols proposed by Peralta & van de Graaf ^ and by Boyar et al. | 2 |). 
This protocol is a statistical zero-knowledge proof system that there exist two 
integers a, 6 > 1 such that n consists of two primes p = 2p“ -|- 1 and q = 2<f -\- 1 
with p,q,p,q ^ 1 (mod 8 ), p ^ q (mod 8 ), p ^ q (mod 8) and p,q are primes. 
Given the fact that (p— 1)/2 is a prime power, and assuming that it is not prime, 
the probability that it passes a single round of Lehmann’s primality test for any 
o > 1 is at most < y^2/(p — 1) (for q the corresponding statement hold). 
Hence, if p and q are sufficiently large, a single round of Lehmann’s primality 
test on (p — l)/2 and {q — l)/2 will be sufficient to prove their primality with 
overwhelming probability. Thus, the resulting protocol to prove that n is the 
product of two safe primes is as follows. 
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1. First the prover computes Cp := g^h'~p, cp := , Cq := g'^h^’’, and 

Cg := with rp,rp,rq,rq Ga Zg and sends these commitments 

together with n to the verifier. 

2. The prover and the verifier carry out the protocol by Gennaro et al. 1221 

3. and then k times the protocol denoted by 

S52 ■■= PK{{a, ( 3 , 7, S, g, e, y, £, C, v) ■ 

Cp = g°‘h^ A Cq = g^h^ A Cp = g^h^ A Cq = g^h^ A (31) 

Cp/{cpg) = h^ A Cq/{c\g) = h^ A g^ = c^h^ A (32) 

a G primes(l) A 7 G primes(l)} , (33) 

where the length conditions on a and 7 are hidden within in the sub-protocols 
primes(l). 

Theorem 6. Let n be the product of two primes p and q sueh that p = 2p“ -|- 1 
and q — 2g^ -|- 1 with p,q,p,q ^ 1 (mod 8 ), p ^ q (mod 8 ), p ^ q (mod 8), 

a, 5 > 1 and p, q are primes. Assume computing discrete logarithms in G is 

infeasible. Then, the protocol S52 is a statistical zero-knowledge argument that 
n is the product of two integers p and q and that p, q, (p — l)/2, and (g — l)/2 
are primes. Assume p > q. Then the soundness error probability is at most 
2-'= + x/2/(g-l). 

The computational and communication costs of this protocol is dominated 
by the costs of a single round (i.e., t = 1) of the primality protocol described in 
the previous section and the costs of protocol of Gennaro et al. . 

It is obvious how to apply our techniques to get a protocol for proving that n 
is the product of two strong primes (i.e., {p — 1) /2, {q — 1) /2, {p -|- 1) /2 and 
{q-\- 1)/2 are primes or have a large prime factor) or, more general, two primes p 
and q such that 4 >k (p) and (q) are not smooth, where is the fc-th cyclotomic 
polynomial. (Recall that smoothness of d>k{p) or d>k{q) for any integer A: > 0, 
k = O(logn) allows to factor n efficiently P^)- Lower bounds on p, q, and on n 
might also be shown. Also, factors r other than 2 in (p — l)/r could easily be 
incorporated. 
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Abstract. We present a new signature scheme which is existentially 
unforgeable under chosen message attacks, assuming some variant of the 
RSA conjecture. This scheme is not based on “signature trees”, and 
instead it uses the so called “hash-and-sign” paradigm. It is unique in 
that the assumptions made on the cryptographic hash function in use 
are well defined and reasonable (although non-standard). In particular, 
we do not model this function as a random oracle. 

We construct our proof of security in steps. First we describe and prove 
a construction which operates in the random oracle model. Then we 
show that the random oracle in this construction can be replaced by 
a hash function which satisfies some strong (but well defined!) compu- 
tational assumptions. Finally, we demonstrate that these assumptions 
are reasonable, by proving that a function satisfying them exists under 
standard intractability assumptions. 

Keywords: Digital Signatures, RSA, Hash and Sign, Random Oracle, 
Smooth Numbers, Chameleon Hashing. 



1 Introduction 

Digital signatures are a central cryptographic primitive, hence the question of 
their (proven) security is of interest. In Goldwasser, Micali and Rivest for- 
mally defined the strongest notion of security for digital signatures, namely “ex- 
istential unforgeability under an adaptive chosen message attack”. Since then, 
there have been many attempts to devise practical schemes which are secure 
even in the presence of such attacks. 

Goldwasser, Micali and Rivest presented a scheme in (El which provably 
meets this definition (under some standard computational assumption). Their 
scheme is based on signature trees, where the messages to be signed are associated 
with the leaves of a binary tree, and each node in the tree is authenticated with 
respect to its parent. Although this scheme is feasible, it is not very practical, 
since a signature on a message involves many such authentication steps (one for 
each level of the tree). This was improved by Dwork and Naor |2| and Gramer and 
Damgard (Zj, who use “flat trees” with high degree and small depth, resulting in 
schemes where (for a reasonable setting of the parameters) it only takes about 
four basic authentication steps to sign a message. Hence in these schemes the 
time for generating a signature and its verification (and the size of the signatures) 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 12.1- TnTl 1999. 
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is about four times larger than in the RSA signature scheme, for which no such 
proof of security exist. Besides efficiency concerns, another drawback of these 
schemes is their “stateful” nature, i.e. the signer has to store some information 
from previously signed messages. 

Another line of research concentrates on hash-and-sign schemes, where the 
message to be signed is hashed using a so called “cryptographic hash func- 
tion” and the result is signed using a “standard signature scheme” such as RSA 
or DSA. Although hash-and-sign schemes are very efficient, they only enjoy 
a heuristic level of security: the only known security proofs for hash-and-sign 
schemes are carried out in a model where the hash function is replaced by a 
random oracle. It is hoped that these schemes remain secure as long as the hash 
function used is “complicated enough” and “does not interact badly” with the 
rest of the signature scheme. This “random oracle paradigm” was introduced by 
Bellare and Rogaway in j^, where they show how it can be used to devise sig- 
nature schemes from any trapdoor permutation. They later described concrete 
implementations for the RSA and Rabin functions (with some security improve- 
ments) in P) . Also, Pointcheval and Stern proved similar results with respect to 
ElGamal-like schemes in HS|. 

Security proofs in the random oracle model, however, can only be considered 
a heuristic. A recent result by Canetti, Goldreich and Halevi pj demonstrates 
that “behaving like a random oracle” is not a property that can be realized in 
general, and that security proofs in the random-oracle model do not always im- 
ply the security of the actual scheme in the “real world” . Although this negative 
result does not mean that the schemes in f!UIlTT;| cannot be proven secure in the 
standard model, to this day nobody was able to formalize precisely the require- 
ments on the cryptographic hash functions in these schemes, or to construct 
functions that can provably replace the random oracle in any of them. 

Our result. We present a new construction of a hash-and-sign scheme (similar to 
the standard hash-and-sign RSA), for which we can prove security in a standard 
model, without a random oracle. Instead, the security proof is based on a stronger 
version of the RSA assumption and on some specific constructible properties 
that we require from the hash function. At the same time, our scheme enjoys 
the same level of efficiency of typical hash-and-sign schemes. Gompared to tree- 
based schemes this new algorithm fares better in terms of efficiency (typically 
2.5 times faster), size of keys and signatures and does not require the signer to 
keep state (other than the secret signature key). 



1.1 The New Construction 

Our scheme resembles the standard RSA signature algorithm, but with a novel 
and interesting twist. The main difference is that instead of encoding the message 
in the base of the exponent and keeping the public exponent fixed, we encode 
the message in the exponent while keeping a fixed public base. 

Set up. The public key is an RSA modulus n = pq and a random element 

sGz;. 



Secure Hash-and-Sign Signatures Without the Random Oracle 



125 



Signing. To sign a message M with respect to the public key (n, s), the signer 
first applies a hash function to compute the value e = H{M), and then uses it 
as an exponent, i.e. he finds the root of s mod n. Hence a signature on M is 
an integer cr such that = s mod n. 

Assumptions and requirements. In our case, it is necessary to choose p, q 
as “safe” or “quasi-safe” primes (i.e., such that {p — l)/2, {q — l)/2 are either 
primes or prime powers.) In particular, this choice implies that p — 1, g — 1 do 
not have any small prime factors other than 2, and that finding an odd integer 
which is not co-prime with 4>(n) is as hard as factoring n. This guarantees that 
extracting roots when e = H{M) is always possible (short of factoring n). 

Intuitively, the reason that we can prove the security of our scheme without 
viewing iJ as a random oracle, is that in RSA the base must be random, but the 
exponent can be arbitrary. Indeed, it is widely believed that the RSA conjecture 
holds for any fixed exponent (greater than one). Moreover, if 61,62 are two 
different exponents, then learning the ei’th root of a random number s does 
not help in computing the C2’th root of s, as long as 62 does not divide ci. 
Hence, it turns out that the property of H that is needed for this construction 
is that it is hard to find a sequence of messages Mi, M2 , . . . such that for some 
i, H{Mi) divides the other H{Mj)’s. In the sequel, we call this property of the 
hash function division intractability. 

In our scheme, an attacker who on input (n, s) can find both an exponent e 
and the root of s, may have the ability to forge messages. Thus our formal 
security proof is based on the assumption that such a task is computationally 
infeasible. This stronger variant of the RSA assumption has already appeared in 
the literature, in a recent work of Baric and Pfitzmann for constructing fail-stop 
signatures without trees (Q. 

The proof. We present our proof in three steps: 

1. First, we prove the security of the scheme in the random oracle model. This 
step already presents some technical difficulties. One of the main technical 
problems for this part is to prove that a random oracle is division-intractable. 
We prove this using some facts about the density of smooth numbers. 

2. Next, we show that the random oracle in the proof of Step 1 can be re- 
placed by a hash function which satisfies some (well defined) computational 
assumptions. We believe that this part is the main conceptual contribution 
of this work. 

We introduce a new computational assumption which is quite common in 
complexity theory, yet we are unaware of use of this type of assumptions in 
cryptography. Instead of assuming that there is no efficient algorithm that 
solves some problem, we assume that there is no efficient reduction between 
two problems. We elaborate on this issue in Subsection 15.21 

3. As we have introduced these non-standard assumptions, we need to justify 
that they are “reasonable” . (Surely, we should explain why they are more 
reasonable than assuming that a hash function “behaves like a random ora- 
cle”). 
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We do this by showing how to construct functions that satisfy these as- 
sumptions from any collision-intractable hash function and Chameleon 
commitment scheme 0. It follows, for example, that such functions exist 
if factoring is hard. As we explained above, this is in sharp contrast to the 
hash functions that are needed in previous hash-and-sign schemes, for which 
no provable construction is known. 

2 Preliminaries 

Before discussing our scheme, let us briefly present some notations and defi- 
nitions which are used throughout the paper. In the sequel we usually denote 
integers by lowercase English letters, and strings by uppercase English letters. 
We often identify integers with their binary representation. The set of positive 
integers is denoted by Af. 

Families of hash functions. We usually consider hash functions which map 
strings of arbitrary length into strings of a fixed length. In some constructions 
we allow these functions to be randomized. Namely, we consider functions of the 
type /i : $ X {0, 1}* — > {0, 1}^ for some set of coins $ and some integer k. We 
write either h{X) = Y or h{R; X) = F, where i? G $, A G {0, 1}*, and Y is the 
output of h on the the input X (and the coins R, if they are specified). 

A family of hash function is a sequence TL = where each Hk is a col- 

lection of functions as above, such that each function in Hk maps arbitrary-length 
strings into strings of length k. The properties of such hashing families that are 
of interest to us, are collision-intractahility which was defined by Damgard in 
0, and division-intractability (which we define below). For the latter, we view 
the output of the hash function as the binary representation of an integer. For 
our scheme we use hash functions with the special property that their output is 
always an odd integer. Such a function can be easily obtained from an arbitrary 
hash function by setting h! {X) = h{X)\l (or just setting the lowest bit of h{X) 
to one). 

Definition 1 (Collision intractability [S]). A hashing family R is eollision 
intraetable if it is infeasible to find two different inputs that map to the same 
output. Formally, for every probabilistic polynomial time algorithm A there exists 
a negligible function negl() such that 

Pr [A{h) = (Ai, A 2 ) s.t. Ai fy A 2 and h{Xi) = h{X 2 )] = negl(/c) 

heHk 

If h is randomized, we let the adversary algorithm A choose both the input 
and the randomness. That is, A is given a randomly chosen function h from 
Hk, and it needs to find two pairs (i?i, Ai), (i? 2 , A 2 ) such that Ai fy A 2 but 
Mi?i;Ai) = /i(i?2;A2). 

Definition 2 (Division intractability). A hashing family Ti is division in- 
tractable if it is infeasible to find distinct inputs Ai, . . . , A„,F such that h(Y) 
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divides the product of the h(Xi)’s. Formally, for every probabilistic polynomial 
time algorithm A there exists a negligible function negl() such that 



Again, if h is randomized then we let A choose the inputs and the randomness. 
It is easy to see that a division intractable hashing family must also be collision 
intractable, but the converse does not hold. 

Signature schemes. Recall that a signature scheme consists of three algo- 
rithms: a randomized key generation algorithm Gen, and (possibly randomized) 
signature and verification algorithms, Sig and Ver. The algorithm Gen is used 
to generate a pair of public and secret keys, Sig takes as input a message, the 
public and secret key and produces a signature, and Ver checks if a signature on 
a given message is valid with respect to a given public key. To be of any use, 
it must be the case that signatures that are generated by the Sig algorithm are 
accepted by the Ver algorithm. The strongest notion of security for signature 
schemes was defined by Goldwasser, Micali and Rivest as follows: 

Definition 3 (Secure signatures m ). A signature scheme S = (Gen, Sig, 
Ver) is existentially unforgeable under an adaptive chosen message attack if it is 
infeasible for a forger who only knows the public key to produce a valid (message, 
signature) pair, even after obtaining polynomially many signatures on messages 
of its choice from the signer. 

Formally, for every probabilistic polynomial time forger algorithm T , there 
exists a negligible function negl() such that 



M ^ Mi for i = 1 . . .n, and Ver(pk, M, a) = accept 

3 The Construction 

Key generation. The key-generation algorithm in our construction resembles 
that of standard RSA. First, two random primes p, q of the same length are 
chosen, and the RSA modulus is set to n = p ■ q. In our case, we assume that 
p,q are chosen as “safe” or “quasi-safe” primes (i.e., that {p— l)/2, {q— l)/2 are 
either primes or prime-powers.) In particular, this choice implies that p — l,q — l 
do not have any small prime factors other than 2, and that finding an odd integer 
which is not co-prime with 4>(n) is as hard as factoring n. After the modulus n 
is set, an element s S is chosen at random. 

Finally, since we use a hash-and-sign scheme, a hash function has to be chosen 
from a hashing family. The properties that we need from the hashing family are 



Pr 

heHk 



A{h) = (Ai,... ,A„,y) 
s.t. Y Xi for i = 1 . . .n, 
and h{Y) divides the product nr=i 



negl(A:) 



(pk, sk) <— Gen(l^); 
for i = 1 .. .n 
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discussed in the security proof (but recall that we use a hash function whose 
output is always an odd integer). Below we view the hash function h as part of 
the public key, but it may also be a system parameter, so the same h can be 
used by everyone. The public key consists oi n, s,h. The secret key is the primes 
p and q. 

Signature and verification. To sign a message M, the signer first hashes M 
to get an odd exponent e = h{M). Then, using its knowledge of p, q, the signer 
computes the signature cr as the e’th root of the public base s modulo n. If the 
hash function h is randomized, then the signature consists also of the coins R 
which were used for computing e = h{R\ M). 

To verify a signature a (resp. (cr, R)) on message M with respect to the hash 
function h, RSA modulus n and public base s, one needs to compute e = h{M) 
(resp. e = h{R\ M)) and check that indeed cr® = s (mod n). 

3.1 A Few Comments 

1. Note that with overwhelming probability, the exponent e = h(M) will be 
co-prime with ^(n). This is since finding an odd number e which is not co-prime 
with 4>{n) is as hard as factoring n, for the class of moduli used in this scheme. 

2. The output length of the hash function is relevant for the efficiency of the 
scheme. If we let the output of the hash function be |n|-bit long then signature 
generation will take roughly twice as long as standard RSA (since the signer must 
first compute e~^ mod 4>{n) and then a modular exponentiation to compute cr). 
Also signature verification takes a full exponentiation modulo n. The efficiency 
can be improved by shortening the output length for h. However (as it will 
become clear from the proof of security), in order for h to be division intractable, 
its output must be sufficiently long. Our current experimental results suggest 
that to get equivalent security to a 1024-bit RSA, the output size of the hash 
should be about 512 bits. For this choice of hash output length we have that 
computing a signature will be less than 1.5 times slower than for a standard 
RSA signature. 

3. When a key for our scheme is certified, it is possible for the signer to prove 
that the modulus n has been chosen correctly (i.e. the product of two quasi-safe 
primes) by using a result from j I I j . 

4 Security in the Random-Oracle Model 

As we have stated, for the security of our scheme we must use the “strong 
RSA conjecture” which was introduced recently by Baric and Pfitzmann. The 
difference between this conjecture and the standard RSA conjecture is that here 
the adversary is given the freedom to choose the exponent e. Stated formally: 

Conjecture 4 (Strong-RSA p]) Given a randomly chosen RSA modulus n, 
and a random element s G Z*, it is infeasible to find a pair (e,r) with e > 1 
such that r'^ = s (mod n). 
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The meaning of the “randomly chosen RSA modulus” in this conjecture 
depends on the way this modulus is chosen in the key generation algorithm. 
In our case, this is a product of two randomly chosen “safe” (or “quasi-safe”) 
primes of the same length. 

We start by analyzing the security of this construction in a model where the 
hash function h is replaced by a random oracleS 

Theorem 5. In the random oracle model, the above signature scheme is ex- 
istentially unforgeable under an adaptive chosen message attack, assuming the 
strong-RSA conjecture. 

Proof. Let The a, forger algorithm. We assume w.l.o.g. that T always queries the 
oracle about a message M before it either asks the signer to sign this message, 
or outputs (M, a) as a potential forgery. Also, let v be some polynomial upper 
bound on the number of queries that T makes to the random oracle. 

Using the same method as in Shamir’s pseudo-random generator HH , we now 
show an efficient algorithm A\ (which we call the attacker), that uses T as & 
subroutine, such that if T has probability e of forging a signature, then A\ has 
probability e' « tjv of breaking the strong RSA conjecture. 

The random-oracle attacker. The attacker A\ is given an RSA modulus n 
(chosen as in the key generation algorithm) and a random element t G Z*, and 
its goal is to find e, r (with e > 1) such that r^ = t (mod n). 

First, A\ prepares the answers for the oracle queries that T will ask. He does 
so by picking at random v odd fc-bit integers ei . . . e„ and an index j G {1 . . . u}. 
Intuitively, A\ bets on the chance that T will use its j’th oracle query to generate 
the forgeryfl 

Next, Ai prepares the answers for signature queries that T will ask. Ai 
computes E = (i-e-, E is the product of all the efs except Cj). If 

Cj divides E, then Ai outputs “failure” and halts. Otherwise, it sets s = 
(mod n), and initializes the forger T , giving it the public key (n, s). The attacker 
then runs the forger algorithm T , answering: 

1. the Tth oracle query with the odd integer e^. Namely, if the forger makes 
oracle queries M\ . . . My, then A\ answers these queries by setting h{Mi) = Cj. 

2. signature query for message Mi for i ^ j with the answer cji = (mod n) 

(recall that E fci is an integer for all i j). 

If T asks signature query for message Mj , or halts with an output other than 
(Mj,a) then Ai outputs “failure” and halts. If T does output (Mj, cr) for which 
= s (mod n), then Ai proceeds as follows. Using the extended Euclidean 
gcd algorithm, it computes g = GCD(ej,E), and also two integers a, b such that 

^ Also here, we assume that the random oracle always return an odd integer as output. 
Namely, the answer of the oracle on every given query is a randomly chosen odd fc-bit 
integer. 

^ This is where we get the 1/v factor in the success probability. Interestingly, this 
factor only shows up in the random oracle model, so we get a tighter reduction in 
the standard model. 
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acj + bE = g. Then sets e = ejjg and r = E ■ (mod n), and outputs 
(e, r) as its solution to this instance of the strong-RSA problem. 

Analysis of Ai- If Ai does not output “failure”, then it outputs a correct solu- 
tion for the strong RSA instance at hand (except with a negligible probability): 
First, since Cj does not divide E, then g < Cj, which means that e = e^jg > 1. 
Moreover, we have 

r® = ^ (jnod n) 

Equality (*) holds because: (a) cr®-» = s = (mod n), which implies that also 
(jbej — fbE g^. jg co-prime with (j){n) (except with negligible 

probability), which means that so is g. Therefore, there is a single element x S Z* 
satisfying x® = (mod n). 

It is left to show, therefore, that the event in which Ai does not output “fail- 
ure” happens with probability d « tjv. Denote by DIY the event in which 
divides E. Conditioned on the complement of DIV, T sees the same transcript 
when interacting with Ai as when it interacts with the real signer, and so it 
outputs a valid forgery for Mj with probability e/v (since j is chosen at random 
between 1 and v). It follows that the probability that Ai does not output “fail- 
ure” is e' > ejv — Pt[DIV]. In Lemma 0 we prove that when the output length 
of the random oracle is k, then Pi[DIV] < 2“^, which completes the proof of 
Theorem 0 



Lemma 6. Let ei . . . Cy be random odd k-bit integers, let j he any integer j G 
{1 . . .v}, and denote E = Then, the probability that Cj divides E is 

less than 2~'^. 

Proof. As before, we denote the above event by DIV . To prove Lemma 0 we 
use some facts about the density of smooth numbers. Recall that when x,y are 
integers, 0 < y < x, we say that x is y-smooth if all the prime factors of x are 
no larger than y, and let W{x,y) denote the number of integers in the interval 
[0,x] which are y-smooth. The following fact can be found in several texts on 
number-theory (e.g., d). 

Proposition 7. Fix some real number e > 0, let x be an integer x > 10, let y be 

def 

another integer such that logx > logy > (logx)*^, and denote p, = log x/ logy 
(namely, y = x^!^). Then E{x,y)/x = p-A^-fD,A) ^ where f{x,p) — *■ 0 as 
p —>■ oo, uniformly in x. 

Below we write somewhat informally >F(x,x^/^) = ^ /i(i o(i))^ Substituting 2^ 
for X and \fkj2 for p in the expression above, we get 

^ _ s -\/fe(l-o(l))/2 _ _ 

22vfc)/2^ = (^/fc/2) < 

We comment that the same bound also holds when we talk about odd fc-bit 
integers, (this can be shown using the fact that an even /c-bit integer x is smooth if 
and only if the (fc— l)-bit integer x/2 is also smooth). If we denote by SMOOTH 
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the event in which the integer Cj is 2^^-smooth, then by the bound above, 

Ft[SMOOTH] < 2-2v^. 

Assume, then, that the event SMOOTH does not happen. Then ej has at 
least one prime factor p > 2^'^. In this case, the probability that ej divides the 
product of the other e^’s is bounded by the probability that at least one of these 
Ci’s is divisible by p. But since all the other e^’s are chosen at random, then the 
probability that any specific Ci is divisible by p is at most 1/p < , and the 

probability that there exists one which is divisible by k is at most As v 

is polynomial in k, we get v2~^'^ < 2~^-^^. Combining the two bounds, we get 
Pr[DIV] < Pr[SMOOTH]+Pr[DIV \ ^SMOOTH] < 2-^'^+2~^-^'^ < 2"^. 

4.1 The Value of k 

The above bound on Pi[DIV] is very weak. For example, to get security level 
of 2“®°, this bound suggest a value of fc « 6000. Although the equations above 
can be optimized, they still only give a very crude bound. One reason for this is 
that we only bound the probability that p, the largest prime factor of ej, divides 
the product of the e^’s. If ej is rather smooth, then e^/p is still rather large, so 
even if p divides one of the e^’s, the probability that e^/p divides the product of 
the Ci’s is still rather small. We therefore performed some experiments to get a 
practical estimate for the value of k. Our experiments suggest that Pi[DIV] is 
in fact much smaller than the bound 2“^. (In fact, for the values of k which 
we tested, we got Pr[DIV] ~ 2“^^®.) See more details in AppendixEl 

5 Eliminating the Random Oracle 

Below we show that the random oracle in the above proof can be replaced by 
a randomized hash function with certain properties. Clearly, this hash function 
should be division-intractable, since violating division intractability immediately 
yields an attack on the signature scheme. However, this property alone is not 
sufficient: even if we assume that the hash function is division intractable, we 
still face problems carrying out the above security proof in the standard model. 
Specifically, recall that in the previous proof, the attacker A\ had to simulate the 
signer for T, and do it without knowing the prime factorization of the modulus. 

Ai was able to carry out this task since it could choose the outputs of the 
oracle (the Ci’s) before seeing the inputs, and so it was able to “tailor” the 
public base s to these specific e^’s. In a standard model this is no longer the 
case: Clearly, if h is deterministic, then the forger’s choice of M^’s uniquely 
determines the e^’s, and the attacker has no room to play with these values. 
But even if h is randomized this does not help the attacker due to the fact 
that h is also division-intractable which implies that it is one-way. Thus, if the 
attacker first chooses e and then sees M, it cannot find randomness R for which 
e = h{R\ M) (even if such R exists). 

As a first step towards overcoming this difficulty, we note that the hardness of 
finding such randomness R is in some sense “unrelated” to the hardness of solving 
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the strong RSA problem. Namely, our intuition is that being able to find R should 
not help anyone solving strong RSA0 We formalize this intuition by replacing 
the strong RSA conjecture (which asserts that there is no efficient algorithm 
to solve strong RSA), with the “funny looking” conjecture which asserts that 
there is no efficient reduction between finding the randomness R and solving 
strong RSA. Technically, this is done by asserting that the strong RSA conjecture 
remains valid even in a relativized world where there is an oracle that finds this 
randomness. 



5.1 The Hashing Family 

To be able to carry the security proof in a standard world, we have to make 
the following assumptions on the hashing family hi used in the scheme and its 
relation to the strong RSA conjecture. 

We say that a hashing family Ji is suitable if 

1. For any h GH, the outputs of h are always odd integers. 

2. is division-intractable. 

3. For every h gH and every two messages Mi, M 2 , the distributions h{R-, Mi), 
h{R; M 2 ), induced by the random choice of R, are statistically close0 

4. The strong RSA conjecture also holds in a model where there exists an oracle 
that on input h, M, e, returns a random R G $ subject to h{R] M) = e. 0 

We discuss these assumptions further in Section 15.21 below. But first let us prove 
that our signature scheme is secure when using a suitable hashing family Ti.. We 
stress that although one of our computational assumptions holds in a relativized 
world, we then prove the security of the scheme in the “real world” . 

Theorem 8. If 7i is suitable, then the construction from Section 0 is existen- 
tially unforgeable under an adaptive chosen message attack. 

Proof. The proof proceeds similarly to the proof of Theorem^, i.e. we construct 
an attacker A 2 which will use the forger T . The main difference is that the 
attacker A 2 operates in a relativized model, given in addition access to the oracle 
from Condition 0 of the suitable hash function. We show that if the forger T 
has probability e of breaking the scheme (in the “real world”!) then the attacker 
has probability e' ~ e of solving strong RSA in the relativized world. (Note that 
this reduction is tighter than the reduction in the random-oracle model.) 

The oracle-assisted attacker. We again assume a bound of v on the num- 
ber of signatures that the forger T asks to see before it outputs its forgery. As 
before, A 2 is given an RSA modulus n and a random element t G Z* (chosen as 
in the key generation algorithm), and its goal is to find e,r (with e > 1) such 

® For example, if one thinks of h as SHA-1, then we have a very strong intnition that 
finding collisions in SHA-1 provides no help in violating the RSA conjecture. 

^ Together with the collision-intractability, this implies that is a statistically hiding 
string-commitment scheme. 

® Such R must exist because of Condition 0 
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that = t (mod n). It starts by picking at random a hash function h G H to 
be used for the forger. And v arbitrary values ei, e„ in the range of the func- 
tion. This can be done for example by picking v arbitrary “dummy messages” 
M{ . . . and computing a = h{R[-, M[) (for random i?(’s). 

Then A 2 computes E — ^ , sets s = (mod n) and initializes T with the 

public key (n, s, h). Whenever T asks for a signature on a message Mi^ A 2 queries 
its randomness-finding oracle for a randomness Ri for which h(Ri; Mi) = e^, and 
then computes the signature by setting CTi = (mod n). A 2 returns the pair 

{Ri,cTi) to E. 

It is important to note that because of Condition 0 on , the distribution 
that E sees in this simulation is statistically close to the distribution it sees when 
interacting with the real signer. In particular, since Ti. is division intractable, then 
E has only a negligible probability of finding M', R! such that e' = h(R!\ M') 
divides the product of the e^’s. 

It follows that with probability e' > e — negl, E outputs a forgery M', i?', cr 
such that e' = h{R'\ M') does not divide the product of the other e^’s, and 
yet = s (mod n). When this happens, the attacker A 2 uses the same gcd 
procedure as above to find (e,r) with e > 1 such that = t (mod n). 

5.2 Discussion 

The proof in the previous section eliminates the random oracle, but substitutes it 
with a non-standard assumption: the strong RSA assumption must still be true 
even in a relativized world where finding randomness for h is not hard. Is this a 
more reasonable assumption than just assuming that h “behaves like a random 
oracle”? We strongly believe it is. The assumption we use has a very concrete 
interpretation in the real world, meaning that there is no reduction from the 
problem of randomness-finding for h to the problem of solving the strong RSA 
problem. In other words the difficulty of the two problems are somewhat “inde- 
pendent” . Moreover we show later that suitable families of hash functions are 
actually constructible. On the other hand the notion of “behaving as a random 
oracle” has no concrete counterpart in the real world, and there are no provable 
constructions of “good hash functions” for previously known schemes. 

It is interesting to ask if our technique of substituting the random oracle in 
the security proof with a relativized assumption can be used in other proofs that 
employ random oracles (such as ^1311 5j ) . Unfortunately, it does not appear to 
be likely. The main reason our technique seems to fail in those proofs, is that 
their requirement from h is that the forger cannot find a message M for which 
he “knows” something about h{M). In our scheme instead we were able to pin 
down the specific combinatorial property we require from h and flesh it out as a 
specific assumption. 

In the next section we describe a construction of a suitable family of hash 
functions. The main purpose of this construction is to prove that the assumptions 
we make can be realized. However the construction requires the signer to search 
for a prime exponent in a large subset and thus it might require a significant 
amount of time. It is however plausible to conjecture that families built from 
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widely used collision-resistant hash functions such as SHA-1 ^21 can be suitable. 
The rationale is that such functions have been designed in a way that destroys 
any “structure” in the input-output relationship. In particular it is very unlikely 
(although we don’t know how to prove it) that division intractability does not 
hold for such functions. A possible candidate would be to define h as following 



h{Ri] i?2! Rs', R 4 ', M) 

= 1 1 SHAl{M\l\Ri) I SHA1{M\2\R2) \ SHA1{M\3\R3) \ SHA1{M\4\R4) \ 1 

for a 642-bit exponent (this is the definition of a single h, a family could be con- 
structed via any standard method of extending SHA-1 to a family, for example 
by keying the IV). 



6 Implementing the Hashing Family 

To argue that Conditions are “reasonable” we at least need to show that 
they could be met. Namely, that there exists a function family H satisfying these 
conditions (under some standard assumptions). Below we show that such families 
exist, assuming that collision-intractable families and Chameleon commitment 
families exist. In particular, it follows that such families exist under the factoring 
conjecture (which is weaker than our “strong RSA” conjecture), or under the 
Discrete-log conjecture 0 

We construct H in two steps: first we show how to transform any collision- 
intractable hashing family into a (randomized) division-intractable family, and 
then we show how to take any division-intractable hash function and transform 
it into one that satisfy Conditions Q] through 0 



6.1 Prom Collision-Intractable to Division-Intractable 

The idea of this transformation is simply to force the output of the hash functions 
to be a prime number. Then, the function is division-intractable if and only if 
it is collision intractable. A heuristic for doing just that was suggested by Baric 
and Pfitzmann in P|: If h is collision intractable with output length k, then 
define a randomized function h with output length of (say) 2k bits, by setting 
for r = 0, . . . , 2^ — 1, h{r] X) =2^ ■ h{X) + r, provided that h{X) -|- r is an odd 
prime {h(r\X) is undefined otherwise). 

It is obvious that h is still collision-intractable, and that it always outputs 
primes, so it is also division-intractable. However, to argue that h is efficiently 
computable, we must assume that the density of primes in the interval [2^h{X), 
2^{h{X)+l)] is high enough (say, l/poly{k) fraction). Hence, to use this heuristic, 

® The way we set the definitions in this paper. Condition 21 on implies the strong 
RSA conjecture, so formally there is no point in using any other conjecture. This 
technicality can be dealt with in some ways, but we chose to ignore it in this prelim- 
inary report. 
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one must rely on some number-theoretic conjecture about the density of primes 
in small intervals. 

Below we show a simple technique that allows us to get rid of this extra 
conjecture: Just as in the above heuristic, we let the output size of h be larger 
than that of h (letting h output 3fc bits is sufficient for our purposes), and 
partition the space of outputs in such a way that each output of the original 
h is identified with a different subset of the possible outputs of h. However, we 
choose the partition in a randomized manner, so we can prove that (with high 
probability) each one of the subsets is dense with primes. 

The main tool that we use in this transformation is universal hashing families 
as defined by Carter and Wegman in . Recall that a universal family of hash 
functions from a domain U to a range i? is a collection U of such functions, such 
that for all Xi ^ X 2 € D and all Yi, I 2 S R, Pr/[/(Xi) = Yi and /(Y 2 ) = Y 2 ] = 
(the probability is taken over the uniformly random choice of f G U). 
Several constructions of such universal families were described in |B] . 

In our case, we use universal hash functions which maps 3fc bits to k bits, 
with the property that given a function f G U and a fc-bit string Y, it is possible 
to efficiently sample uniformly from the space {X G {0,1}^^ : f{X) = Y}. 
For any function / : {0, 1}^^ — > {0, 1}^, we associate a partition of the set of 
outputs ({0, 1}^^) into 2^ subsets according to the values assigned by /. Each 
output value of the original h (which is a fc-bit string Y) is then associated with 
the subset /“^(Y). The modified function h, on input X, outputs a random odd 
prime from the set f~^{h{X)). Again, it is clear that h is collision-intractable 
if h is, and that it only outputs primes, hence it is division-intractable. On the 
other hand, a standard hashing lemma shows that with high probability over 
the random choice of /, the subset f~^{h{X)) C {0,1}^^ is dense with primes 
(for all X). Thus, h is also efficiently computable. 

Lemma 9. Let U be a universal family from {0, 1}^^ to {0, 1}^. Then, for all 
but a 2“^ fraction of the functions f G U, for every Y G {0, 1}^ a fraction of at 
least 1/cfc of the elements in f~^(Y) are primes, for some small constant c. 

Proof omitted. 

6.2 Prom Division-Intractable to Suitable 

Finally, we show how to take any division-intractable hashing family (that always 
output odd integers) and transform it into a suitable one (i.e. one that satisfies 
Conditions 1 through 4 from Subsection 15. 1 il . To this end, we use Chameleon 
commitment schemes, as defined and constructed by Brassard, Chaum and Cre- 
peau 0. In fact we use them as Chameleon Hashing exactly as defined and 
required in m 

The Chameleon Hashing is a function ch{-; •) which on input a random string 
R and a message M is easily computed. Furthermore, it is associated with a value 
known as the “trapdoor” . It satisfies the following properties: 

— Without knowledge of the trapdoor there is no efficient algorithm that can 
find pairs Mi, i?i and M 2 , i ?2 such that ch{Mi, Ri) = ch{M 2 , i? 2 )- 
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— There is an efficient algorithm that given the trapdoor, a pair M \ , i?i and 
M 2 can compute i ?2 such that ch{Mi,Ri) = ch{M 2 ,R 2 )- 

— For any pair of messages M\ , M 2 and for randomly chosen R the distribution 
ch{Mi,Ri) and ch{M 2 ,R 2 ) are statistically close. 

To transform a division intractable hash function h into one that also satisfies 
Conditions 3 and 4 from Subsection Id. 1 1 we simply apply it to the hash string 
c = ch{R; M) instead of to the message M itself. A little more formally, we have 
the following construction. 

Let Ti. he a, division-intractable family, and let CH be a Chameleon hashing 
scheme. We construct a randomized family TL in which each function is associated 
with a function h ^ TL and an instance ch € CH. We denote this by writing 
hh,ch- This function is defined as hh^ch{R]M) = h{ch{R;M)). (if h itself is 
randomized, then we have hh^ch{Ri, R 2 ', M) = h{R 2 ;ch{Ri; M))). It is easy to 
see that 7i enjoys the following properties 

1. H. always outputs odd integers if TL does. 

2. TL is collision intractable, since violating division-intractability requires ei- 
ther finding two different messages with the same hash string, or violating 
the division-intractability of TL. 

3. 7Y is a statistically hiding hashing scheme (since CH is, and TL is collision 
intractable). 

It is left to show that TL also satisfies the last condition. This is shown in the 
following proposition: 

Proposition 10. If the Strong RSA conjecture holds, then it also holds in a 
relativized world where there is a randomness- finding oracle for TL. 

Proof. We need to show that an efficient algorithm for solving strong RSA in a 
relativized world where there is a randomness-finding oracle for TL can be used 
to solve strong RSA also in the “real world” . To do that, we use the trapdoor 
for the chameleon hashing scheme to implement the randomness-finding oracle 
in the real world. 

A little more precisely, if there exists an efficient reduction algorithm A that 
solves strong RSA in the relativized world, then we construct an efficient al- 
gorithm that solves strong RSA (without the oracle) by picking a Chameleon 
hashing instance ch together with its trapdoor. Now, we execute the algorithm 
A, and whenever the forger asks a query concerning the hash, A turns to the 
randomness- finding oracle, which uses the randomness- finding algorithm of CH 
with the trapdoor to answer that query. 

Since Chameleon hashing exists based on the factoring conjecture (which, in 
turn, is implied by the strong RSA conjecture) we have 

Corollary 11. Under the Strong RSA conjecture, suitable hashing families ex- 
ist. 
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7 Conclusions 

We present a new signature scheme which has advantages in terms of both 
security and efficiency. In terms of efficiency, this scheme follows the “hash- 
and-sign” paradigm, i.e. the message is first hashed via a specific kind of hash 
function and then an RSA-like function is applied. Thus, in total the scheme 
requires a hashing operation and the only one modular exponentiation. These is 
no need to maintain trees and to rely on some stored information on the history 
of previous signatures. 

The security of the scheme is based on two main assumptions. One is the 
“strong RSA” assumption: although this assumption has already appeared pre- 
viously in the literature, it is still quite new and we think it needs to be studied 
carefully. The other assumption is the existence of division-intractable hash func- 
tions. We showed that such functions exist and that efficient implementations 
(like the one in Section[S|) are possible based on conjectures which seem to be 
supported by experimental results and which we invite the research community 
to explore. In any case the proof of security is still based on concrete compu- 
tational assumptions rather than on idealized models of computation (like the 
random oracle model). 
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A Experimental Results 

Here we describe the results of some experiments which we performed to estimate 
the “true complexity” of the division property. We tried to measure how many 
random fc-bit integers need to be chosen until we have a good chance of finding 
one that divides the product of all the others. 

We carried out these experiments for bit-lengths 16 through 96 in increments 
of 8 (namely k = 16, 24, . . . , 88, 96). For each bit length we performed 200 ex- 
periments in which we counted how many random integers of this length were 
chosen until one of them divides the product of the others. For each length, we 
took the second-smallest result (out the of the 200 experiments) as our estimate 
for the number of integers we need to choose to get a 1% chance of violating the 
division-intractability requirement 

We repeated this experiment twice: in one experiment we chose random fc-bit 
integers, and in the other we forced the least- and most-significant bits to 
The results are described in Figure E It can be seen that the number of integers 
seems to behave exponentially in the bit-length. Specifically for the bit-lengths 
A: = 16 . . . 96, it seems to behave more or less as 2^/® (in fact even a little more). 
Forcing the low and high bits to ‘1’ seems to increase the complexity slightly. 



^ Taking the 2nd-smallest of 200 experiments seems like a slightly better estimate 
than taking the smallest of 100 experiments, and our equipment didn’t allow us to 
do more than 200 experiments for each bit-length. 
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Bit length 


16 


24 


32 


40 


48 


56 


64 


72 


80 


88 


96 


random 
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23 


50 


151 


307 


691 


1067 


2786 


3054 


8061 


msb=lsb=l 


8 


17 


39 


63 


160 


293 


710 


1472 


3198 


4013 


8124 




Fig. 1. Experimental results. The line — e- describes the number of random fc-bit 
integers, and the line —k- describes the number of random k-hit integers with 
the first and last bits set to ‘1’. 
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Abstract. In one proposed use of digital watermarks, the owner of a 
document D sells slightly different documents, , D ^, ... to each buyer; 
if a buyer posts his/her document D* to the web, the owner can iden- 
tify the source of the leak. More general attacks are however possible 
in which k buyers create some composite document D*; the goal of the 
owner is to identify at least one of the conspirators. 

We show, for a reasonable model of digital watermarks, fundamental lim- 
its on their efficacy against collusive attacks. In particular, if the effective 
document length is n, then at most 0{^yn/ In n) adversaries can defeat 
any watermarking scheme. 

Our attack is, in the theoretical model, oblivious to the watermarking 
scheme being used; in practice, it uses very little information about the 
watermarking scheme. Thus, using a proprietary system seems to give 
only a very weak defense. 

Keywords: Watermarking, Intellectual Property Protection, Collusion 
Resistance. 



1 Introduction 

I. 1 The General Problem 

The very properties that have made digital media so attractive present difficult, 
not clearly surmountable, security problems. The ability to cheaply copy and 
transmit perfect copies of text, audio, and video opens up new avenues both 
for electronic commerce and for electronic piracy. The advent of ubiquitous high 
speed networks and network caching algorithms further amplifies this problem. 
Anyone will have the capability to cheaply distribute any movie, song, book, or 
picture (which we will generically call a document) in their possession to anyone 
else on the planet. The challenge is to maintain intellectual property in this 
environment. 

There are a number of approaches to this problem; we concentrate on meth- 
ods related to digital watermarking, also known as digital fingerprinting. In one 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 140-^21 1999- 
(c) Springer- Verlag Berlin Heidelberg 1999 
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general approach, the media to be distributed is altered so that it contains a 
hidden “do not copy” signal (the “watermark”). Most or all of the hardware 
for viewing, copying, or transmitting the media look for this signal and prevent 
illicit use. Two major problems with this approach are preventing the construc- 
tion of illicit hardware that ignores the safeguards and preventing the erasure 
of the hidden signal. The latter problem is aggravated by the fact that one has 
to effectively distribute oracles (e.g., copying machines) that give feedback as to 
whether the signal can still be detected. 

We know of no such watermarking scheme that has survived a serious attack. 
Indeed, with one commercially distributed scheme for watermarking images, the 
mark was so delicate that owners would accidentally destroy it themselves (such 
as by resizing the image prior to selling it). 

A less ambitious use of watermarking is to identify pirates after the fact. 
That is, nothing prevents a pirate from anonymously posting ones intellectual 
property to the web, but one should be able to identify who did so. The general 
approach is to, given a document D, perturb it in an unobtrusive manner to 
generate documents giving each buyer a distinct copy. If the i-th 

buyer posts to the web, the document owner can identify him/her as the 
pirate. 

Innumerable schemes have been proposed for both uses; we refer to 0 for a 
discussion of many of these schemes. 

1.2 Modeling Collusion Attacks 

Of course, a pirate may not be so cooperative as to simply post its document 
unchanged. It may attempt to alter it or, perhaps in concert with others, combine 
several documents to produce a document that cannot be linked with any of the 
“original” marked documents. 

The first theoretical modeling and treatment of collusion of attacks was given 
by Boneh and Shaw p. We instead use a model suggested by Cox et. al. |5|- We 
refer to m for a more extensive introduction to this model, described briefly 
below. 

First, we model a document D as a sequence of real numbers (Hi, . . . , H„). 
This should not be thought of as a literal and complete description of the docu- 
ment, but as an indication of the values of “critical values” that might be changed 
by the watermarking process. For example, they may be coefficients in a wavelet 
decomposition of an image or audio stream. In |3|, it is posited that these should 
be orthogonal, independent attributes; primarily analyzes the case where they 
are uniformly distributed. We do not make any such assumptions. 

We model collusion attacks as follows. First, we model a watermarking scheme 
as a pair of functions Mark and Detect. Mark(H,m) defines a distribution on se- 
quences . . . , H™, where m is the total number of documents produced; Mark 
may be viewed as a randomized procedure for producing , . . . , . 

A t-collusion attacker is modeled by a probabilistic polynomial time proce- 
dure Attack, and a distribution on distinct ii, . . . , it. In all of our discussions we 
assume that ii, . . . ,it is chosen uniformly from all t-element subsets. On input 
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Attack generates a distribution on its output, D* . 

On input D, D^, . . . , ZJ'", D*, Detect returns a distribution on its output i G 
[1, m] U0. Returning an index indicates an accusation; returning 0 indicates that 
no one has been caught. For notational simplicity, we omit the D, D^, . . . , D™ 
arguments when they are fixed or clear, writing simply Detect(iJ*). 

We now specify our requirements for Mark, Detect, and Attack. First, we 
consider the fidelity of the marked documents and the attacked documents. We 
require that d{D'^,D) < A/2, where d denotes the Euclidean metric. We require 
a successful attack to achieve d{D*,D) < A' /2] the closer A' is to A, the better 
the attack. Intuitively, A/2 indicates the degree to which the watermarking 
algorithm is willing to distort D, and A' /2 indicates the amount of distortion 
past which the document is no longer worth stealing or protecting. 

(We use A/2 instead of A to simplify the analysis. By the triangle inequality, 
our condition enforces that d{D^, D^) < A; this turns out to be the more natural 
condition to consider.) 

Next, we consider the efficacy of the detection algorithm. Detect succeeds if 
it returns an z G {zi,... ,it}. Detect can fail in two ways: (i) The owner can 
fail to identify any of the pirates by returning 0 (a false negative), or (ii) the 
owner can falsely conclude that an innocent person is a pirate (a false positive). 
A false negative is unfortunate; a false positive is catastrophic. If one fails to 
catch a pirate 90% of the time, the 10% may deter some (but not all), but if 
one misidentifies an innocent person 1% of the time one may not be able to ever 
credibly accuse anyone of piracy. 

1.3 Our Result 

We show a generic attack procedure Attack that defeats all watermarking schemes 
for the above model. It is oblivious to the Mark and Detect schemes. It has the 
following properties: 

1. The attack uses t = jy^n/lnn documents, where a is a parameter (the 
larger the parameter, the more effective the attack), and e controls the fidelity 
of the attack (we ignore integer rounding issues). 

2. With high probability, it produces an attack document D* such that 

d{D*,D) < {A/2){\ + 2e^ + o(l)). 

3. Suppose Detect succeeds with probability above, say 2/Vlnn, then it must 
incur a false positive probability of f2(n~^), for some c, where c depends on 
a. More general tradeoffs are implied by our analysis. 



1.4 Related Work 

Boneh and Shaw introduced the first formal model of collusion resistance. They 
consider a more abstract model in which one may insert a sequence of marks into 
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a document; each mark has a value associated with it (most usually boolean) . 
They assume that if for all the documents available to the attacker, the *-th mark 
has the same value, then the attacker cannot remove this mark. If, however, two 
of the documents disagree on the value of the i-th mark, the attacker can change 
its value as it sees fit. In this model, they show upper and lower bounds for the 
collusion resistance as a function of the number of marks. Further improvements 
and additions to their basic scheme appear in 1911(181 . 

It is impossible to directly compare this model and its models with that of 
Cox et. al. The model of 0 gives a more low-level model for watermarking. One 
pleasing aspect of our result is that it essentially matches to within a constant 
factor some lower bounds on collusion resistance proven by . For the case where 
m = 'nP^^\ they show that one can achieve collusion resistance of l7(\/n/lnn), 
given a very specialized assumption about the distribution of D (or given a very 
restricted class of attacks) . Our bounds show that this is essentially the best one 
can hope for, regardless of the assumptions one makes about the distribution of 
the documents. In contrast, there is a substantial gap in the upper and lower 
bounds known for the Boneh-Shaw model. 



Along a similar vein, Chor, Fiat, and Naor |2| introduce traitor tracing 
schemes. In their scenario, a large amount of data is broadcast, or made publicly 
available (say by DVD disks) in encrypted form; keys allowing the data to be 
decrypted are individually sold. Subsequent work in this area includes 0CI; a 
further twist on key protection is given in In one respect, these models have 
a similar flavor to the scenario we consider, in that one wishes to identify those 
who publish or resell their keys. This work, however, is intended for the regime 
where the plaintext is so large that it is hard to (re) broadcast it. Watermarking 
hopes to protect much smaller data (hundreds of kilobytes) . 



1.5 Road Map 

In Section |2| we describe our attack. In Section 0 we analyze its efficacy. In 
Section 2] we present conclusions and open problems. 



2 The Attack 



Our attack is parameterized by a collusion parameter t and a noise parameter 
a. We will analyze the case where t = {a.j c)^nl Inn, a is some (typically con- 
stant) parameter, and cr = cAj where n is the length of the attacked 
document; i.e., the dimension of D, and e is a (typically small constant) pa- 
rameter. Let N{gL,a“^) be the Gaussian (normal) distribution with mean /r and 
standard deviation a. 

Described in words, the colluding attack is to average the t vectors and 
perturb with a random Gaussian noise at each component, a is to be determined 
later. 
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Attackt,o.(zi, . . . ,D**) 



^ ^ ^ 

1. First, compute D* = - , where the 



sum is performed coordinate- wise. 



i=i 

That is, each coordinate of D* is set to be the average of the corresponding 
values of the sample documents. 

2. Let n denote the length of U*. Choose R = {r i, ... ,rn) hy choosing rj 
independently according to N{0, cr^), for 1 < j < n. Compute D* = D* + R. 



Observe that in the abstract model. Attack uses no information about Mark, 
except for cr. We discuss more practical issues in Section 0 

There is a tension in our choice of t and tr. As we will see, the larger the values 
of t and cr, the more effective the attack. However, we would like to minimize 
the number t of adversaries (document copies) needed, and increasing cr weakens 
the fidelity of the attacked copy. 



3 Analysis 

We analyze the efficacy of Attack as a function of the parameters t and cr. First 
we analyze the fidelity of the attack, and then we show, for any choice of Detect, 
a tradeoff between the probability that it generates a false positive and the 
probability that it generates a false negative. 



3.1 The Fidelity of the Attack 

For the rest of our discussion, high probability mean with probability 1 — o(l) 
as n grows large. 

Lemma 1. Suppose that a = tAj^/n. Then with high probability, d{D,D*) < 
(A/2)(l + 2e2 + o(l)). 

Proof. (Sketch) Consider the triangle formed by D, D*, and D*. Let a = d{D, D*), 
b = d{D* , D*), and c = d{D,D*). Let 9 be ZDD*D*. Then + b"^ — 

2abcos9. First, by the convexity of the Euclidean norm, it follows that a < A/2 
{D* is the centroid of points all within A/2 of D). Now, b^ = (r^,... ,r^) 
(where is as in Attack); hence, 5^ is a distribution with mean a^n = e^A^. 
Using simple bounds on the tail of distributions, we have that with high 
probability, 5^ < (1 J- o(l))e^Z\^. It remains to bound the magnitude of cos9. 
By the spherical symmetry of the distribution on R, 6 has the same distribution 
as the angle between two random unit rays from the origin. For this case, it is 
well known that |cos6*| is 0{hin/ y/n) with high probability. Hence, with high 
probability, 

(? < {A/2'f J- (1 J- o(l))e^Z\^ J- 0(eZsf Inn/Vn)- 



The lemma follows. 
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3.2 A Tradeoff between Errors 

Attack ignores the values of ii, . . . , ft. To simplify our notation, we assume with- 
out loss of generality that the attacking coalition is 1 , . . . , t. 

Suppose on D* Detect outputs a valid value off G {1, ■ ■ ■ , t} with probability 
at least p, where the probability is taken over the randomness used by Attack and 
any randomness used by Detect. Assume without loss of generality that Player 1 
is the player most often detected. Thus, Detect(Zl, = 1, with 

probability > pjt. The idea is to produce another document D' with a slightly 
different colluding set that does not include Player 1. When t is sufficiently 
large, D* and D' cannot be reliably distinguished by Detect (or any other dis- 
tinguisher). Hence Detect will output f = 1, yielding a false positive, with an 
unacceptably large probability. 

Consider the output of Attack on . . . , ZD‘+^. We define D' and D' by 

.. t+i 

Ty =-'^D\ and 
D' = ly + 

That is, D' is distributed according to the output of Attack. Note that is not 
part of the set that produces D' . 

Fixing, ZZ, ZZ^, . . . , ZZ™, we consider ZZ' and ZZ* as defining probability mea- 
sures on the document space. We claim that Detect(ZZ') still outputs 1 with 
unacceptably high probability if Detect(ZZ*) outputs 1 with a reasonably large 
probability. 

We now proceed to show that there is a tradeoff between the false positive and 
false negative probabilities. First we define a parameterized set of problematic 
documents for which the false positive probability is low. 

Definition 2. Given probability measure D' and D* , and a parameter 7 , we 
define the bad set by 

B^ = {x I Pr [a ;]<7 Prja;]}. 

x^D' x^D* 

This set is bad for the attacker, because Detect can safely output 1 without 
incurring too large a probability of producing a false positive. Lemma El bounds 
the probability that Detect makes a false positive as a function of 7 . 

Lemma 3. [Detect(a;) = 1] > 7 • (f — Pi'd- [ZZ.y]). 

Proof. We have 

Pr [Detect(a;) = 1 A a; ^ B~^] > Pr [Detect(a;) = 1] — Pr [x G B.f\ 

X* — D* x^D* x*—D* 
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Thus, 




Pr [Detect(x) = 1] > Pr [Detect(x) = 1 A a; ^ B^] 



> 7 • Pr ^ [Detect(a;) = 1 A a; ^ B^] 






We now obtain, for some reasonable setting of parameters, a lower bound on the 
false positive probability. 

Lemma 4. Lett > nj \a.n and a = eAj{2sfr^. //Pi'a,^!). [Detect(a;) = 1] > 
p/t, for 1/p = o(lnn), then 



where (3 = (2/a)(l + 1/a) and n is sufficiently large. 

Proof. For the proof, we set some of the parameters in the expression given in 
Lemma 0 and use the lemma to lower bound the probability of a false positive. 
The value of 7 > 0 must be chosen to balance between two competing consider- 
ations imposed by the 7 term and the p/t — G B.f\ term. Intuitively, 

when 7 is close to 1, then x is often in B.y, but this is not so advantageous for 
the Detect; when 7 is small, it is indeed good for Detect to have x £ Bj, but 
this hardly ever happens. 

We will choose 7 such that Pr£). [Bj] < p/{2t); 7 will be for some constant 
(3. Since Pra,^£). [Detect(a;) = 1] > p/t, Pr^,^!). [Detect(a;) = 1 A a; ^ B^] > 
p/{2t). Then the probability of a false positive for document instances from D' , 
will be at least 7p/(2t). 

Although each point x we consider is an n-dimensional quantity, we can ex- 
ploit the spherical symmetry of n-dimensional Gaussian distributions as follows. 
Given a point x, let a;|| denote the projection of x onto the line L connecting 
D* and D'. We define d||(a;) to be d(ZJ*,a;||) if D* is between sy and D', and 
—d{D*,x\\) otherwise. We define d±{x) to be the distance from x to L. 

Now, by the spherical symmetry of Gaussian distributions, we have 



where c„ is some normalization constant, depending on n. Let 6 = d{D* , D'); 
note that 6 < A/t. By the Pythagorean theorem and elementary geometry, we 
have 




Pr [Detect(a;) = 1]> —pn ^ ^/^Vlnn. 

< — 71' n 




d?{x, D*) = dy (x) -I- d/i{x) and 
d'‘{x,D') = (dy(a;) -I- SY + d\{x). 
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Hence, 



Pr [x] = c„ exp — 

x^D* 



Pr [x\ = c„ exp — 



— 2^^ — j 

(d|| (x) + S)^ + dj^(x) 



T , def Pra:^D' w ~ (2d(xn)S + S^) ^ ^ ^ ^ r I r/ ^ / 

Let o(x) = = exp . Hy definition, = {x o(x) < 

[a;J 2cr"' 

7 }. Let cr = eAI{2^Jn), where e is to be determined later. Thus, 5 < 2(j^/nl{et), 
hence 



If b{x) < 7 , we get 



(2d{x\\)^ 2n \ 

K,)>exp-(^— ^ + — j. 



,, , / et , 1 ^/n 

d(x \\ ) > cr ( ^ _ In 

^ - \2y^ 7 et 



Thus, we can bound Pra;^£i. [B^] as 



r 1 _2;2 

Pr \By] < / , — exp— 



which is upper bounded by 



2y7i 7 et 



1 f et 1 ^/n 

exp — - — in 

2 \2ydn 7 et 



ct 1 -\/n 

when — e= In > 0. Here, we are exploiting the spherical symmetry of our 

2^yn 7 et 

n-dimensional Gaussian distribution: projecting onto a line gives a 1-dimensional 
Gaussian distribution. 

We are interested in the case when this is at most pj (2t) . Now, t = j y^n/lnn. 
Set 7 = n~d. Then, the above bound is at most 



\/27rl: 



n n 



(f-t) 



If we set P = (2/a)(l -I- 1/a), then for large enough n this is less than 



1 






\/27m Inn 2t 

ct 1 /n 

for p = l/o(lnn). We must also ensure that ——p= In > 0. 

^ ’ 2 v^ 7 et 

When t = jy^njlnn, for a given a, our choice of /? = (2/a)(l -|- 1/a) > 2/a^ 

guarantees a/3/2 — 1/a > 0. 
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3.3 The Final Calculation 

Lemma 0 gives a criterion for when the output of 

Attack(ii, . . . ,£>**) 

will cause Detect to have a high false positive rate; however, these bad indices 
may be very uncommon, and almost never encountered by the Detect procedure, 
since we assume the adversary receives a uniformly chosen subset. It remains to 
bound how likely it is for such a bad ii, . . . ,it to be chosen. There are many 
ways of doing so; a very simple argument will make our point. 

First, we show a high false positive rate under a different distribution of 
indices, defined by the following procedure. 

1. Choose / = ii, . . . ,it uniformly, 

2. Determine the j maximizing the probability that, after Attack produces D*, 
Detect returns ij . 

3. Remove ij from / and replace it with a new element, chosen at random 
(without replacement), giving I' . 

The sets /, /' are completely analogous to {!,... ,t} and {2,... ,t + 1} in the 
previous analysis. Lemma 2 implies that whenever Detect catches the colluders 
(correctly) on set / with probability p, for p > 1/Vln n (and n sufficiently large), 
it will falsely accuse someone with probability at least p4>, where 

(j) 

a 

when the attack is based on set Note that the 1/Vhrn term can be replaced 
by any function /(n) where 1/lnn = o(/(n)). 

By a simple probability calculation, if Detect is successful with probability 
q (catches a correct colluder), when / is chosen uniformly (as in the procedure 
above), it will make a false accusation with probability {q — 1/Vln n)4> on sets 
chosen according to the distribution of I' in the procedure above. 

We next observe that for any t-set /*, Pr[/' = /*] < tPr[/ = /*]. That is, 
the distribution on /' assigns at most t times the weight to some subset than 
would the uniform distribution. To see this, note that for any I* there are at 
most t{m — t) values of I in the above procedure such that /' could possibly be 
equal to I* (there are that many ways of swapping an index out). For each of 
these possibilities, the probability that I' is indeed equal to I* is either 0 (when 
the index that needed to be swapped out was not the maximally accused index) 
or exactly l/(m — t) (the probability of swapping the right index in). 

By the “flatness” property we have shown for it then follows that if the 
false positive rate is {q — 1/Vln n)(p when the sets are chosen according to 
then the false positive rate is at least {q — l/y/hTn)(j)/t when the sets are chosen 
uniformly. 
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4 Conclusion and Open Problems 

We have shown that in the framework of |3|, 0(\/n/lnn) adversaries suffice to 
break the watermarking scheme. Within this framework, the attack is essentially 
oblivious to the actual watermarking method. In practice, a real document con- 
sists of much more than the n-vector assumed for the theoretical model; the 
relationship between a document and its corresponding n-vector may be more 
obscure. As soon as this correspondence (and a way of computing inverses) is 
figured out, our attack is applicable. 

An interesting open question is to generalize our result for a general class of 
metrics. One criticism of the Euclidean distance is that it is not always a good 
measure of fidelity; one would like to choose ones notion of fidelity. 

A more important open question is to properly model the “do not copy” 
problem for watermarking. Whereas for the problem we consider, the question 
is what the right bound for the adversaries should be, for the other problem it 
is unclear whether there is a theoretically defensible solution at all. 

Acknowledgements 

Uri Feige provided us with crucial assistance. Based on our preliminary notes, 
Steven Mitchell, Bob Tarjan, and Francis Zane have written and shared with us 
an alternate exposition of our methods. 



References 

1. D. Boneh and J. Shaw. Collusion-secure fingerprinting for digital data. Proc. 
Advances in Cryptology — CRYPTO, Springer LNCS 963:452-465, 1995. 

2. B. Chor, A. Fiat, and M. Naor. Tracing traitors. Proc. Advances in Cryptology — 
CRYPTO, Springer LNCS 839:257-270, 1994. 

3. I. Cox, J. Kilian, T. Leighton, and T. Shamoon. A secure, robust watermark for 
multimedia. IEEE Transaction on Image Processing, 6(12):1673-1687, 1997. 

4. C. Dwork, J. Lotspiech, and M. Naor. Digital signets: Self-enforcing protection of 
digital information (preliminary version). Proc. 28th ACM Symposium on Theory 
of Computing, pp. 489-498, 1996. 

5. J. Kilian, T. Leighton, L. R. Matheson, T. G. Shamoon, R. E. Tarjan, and F. Zane. 
Resistance of digital watermarks to collusive attacks. Technical Report TR-585-98, 
Department of Computer Science, Princeton University, 1998. 

6. M. Naor and B. Pinkas. Threshold Traitor Tracing. Proc. Advances in Cryptology 
— CRYPTO, Springer LNCS 1462:502-517, 1998. 

7. B. Pfitzmann. Trials of traced traitors. Proc. 1st International Workshop on 
Information Hiding, Springer LNCS 1174:49-64, 1996. 

8. B. Pfitzmann and M. Schunter. Asymmetric fingerprinting (extended abstract). 
Proc. Advances in Cryptology — EUROCRYPT, Springer LNCS 1070:84-95, 1996. 

9. B. Pfitzmann and M. Waidner. Anonymous fingerprinting. Proc. Advances in 
Cryptology — EUROCRYPT, Springer LNCS 1233:88-102, 1997. 

10. B. Pfitzmann and M. Waidner. Asymmetric fingerprinting for larger collusions. 
Proc. 4th ACM Conference on Computer and Communications Security, pp. 151- 
160, 1997. 



Coin-Based Anonymous Fingerprinting 



Birgit Pfitzmann and Ahmad-Reza Sadeghi 

Universitat des Saarlandes, Fachbereich Informatik, 
D-66123 Saarbriicken, Germany 
{pfitzmann, sadeghi}@cs .uni-sb .de 



Abstract. Fingerprinting schemes are technical means to discourage 
people from illegally redistributing the digital data they have legally 
purchased. These schemes enable the original merchant to identify the 
original buyer of the digital data. In so-called asymmetric hngerprinting 
schemes the fingerprinted data item is only known to the buyer after a 
sale and if the merchant finds an illegally redistributed copy, he obtains 
a proof convincing a third party whom this copy belonged to. All these 
fingerprinting schemes require the buyers to identify themselves just for 
the purpose of fingerprinting and thus offer the buyers no privacy. Hence 
anonymous asymmetric fingerprinting schemes were introduced, which 
preserve the anonymity of the buyers as long as they do not redistribute 
the data item. 

In this paper a new anonymous hngerprinting scheme based on the prin- 
ciples of digital coins is introduced. The construction replaces the general 
zero-knowledge techniques from the known certihcate-based construction 
by explicit protocols, thus bringing anonymous hngerprinting far nearer 
to practicality. 



1 Introduction 

Fingerprinting schemes are cryptographic techniques supporting the copyright 
protection of digital data. They do not require tamper-resistant hardware, i.e., 
they do not belong to the class of copyright protection methods which prevent 
copying. It is rather assumed that buyers obtain data in digital form and can copy 
them. Buyers who redistribute copies disregarding the copyright conditions are 
called traitors. Fingerprinting schemes discourage traitors by enabling the origi- 
nal merchant to identify a traitor who originally purchased the data item. Every 
sold copy is slightly different from the original data item and unique to its buyer. 
Obviously the differences to the original represent the information embedded in 
the data item, which must be imperceptible. As several traitors might collude 
and compare their copies to find and eliminate the differences, cryptographic 
methods were used to make fingerprinting schemes eollusion tolerant. There are 
different classes of fingerprinting schemes called symmetric |HMP8fillB^ and 
asymmetric jF?TMIFW^IBM97j . In contrast to symmetric schemes, asymmet- 
ric schemes require the data item to be fingerprinted via an interactive protocol 
between the buyer and the merchant where the buyer also inputs her own se- 
cret. At the end of this protocol only the buyer knows the fingerprinted data 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 150-ESI 1999- 
(c) Springer- Verlag Berlin Heidelberg 1999 
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item. However, after finding a redistributed copy the merchant can extract in- 
formation which not only enables him to identify a traitor but also provides him 
with a proof of treachery that convinces any third party. The main construction 
in was based on general primitives; an explicit construction, i.e., with- 

out such primitives, was only given for the case without significant collusions. 
Explicit collusion-tolerant constructions were given in IFWhTal lljMH7l . A spe- 
cial variant of fingerprinting is traitor tracing EEMEZnB]; here the keys 
for broadcast encryption IF'IN H4I are fingerprinted. Asymmetric traitor tracing 
was introduced in irmi with a construction based on general primitives. Ex- 
plicit constructions for this case were also given in IPWil7al . Even more efficient 
construction were given in IIKU98I : however, they are not asymmetric in the 
usual sense but “arbitrated”, i.e., a certain number of predefined arbiters can 
be convinced by the merchant (similar to the difference between arbitrated au- 
thentication codes and asymmetric signature schemes). 

As in “real-life” market places, it is desired that electronic market places offer 
privacy to the customers. It should be possible to buy different articles (pictures, 
books, etc.) anonymously, since buying items can reveal a lot of behavioristic 
information about an individual. To allow this also for buying fingerprinted 
items, anonymous asymmetric fingerprinting schemes were proposed |PW97bj . 
Note that in normal fingerprinting (symmetric and asymmetric) the buyer has to 
identify herself during each purchase. In anonymous fingerprinting the anonymity 
of the buyers is preserved as long as they do not redistribute copies of the data 
item. 

In this paper, we introduce a new anonymous asymmetric fingerprinting 
scheme based on the principles of digital coins. Our protocols are explicit, in 
contrast to the scheme in raza, where general theorems like “every NP- 
language has a zero-knowledge proof system” were used, and thus far more 
efficient. The anonymity is information-theoretic and security computational. 
Security of one party relies on a restrictiveness assumption about the underlying 
payment system, which we formulate precisely. 

2 The Model of Anonymous Fingerprinting 

The involved parties in the model are merchants M, buyers B, registration cen- 
ters TZC and arbiters A. For the purpose of fingerprinting it is required in this 
model that buyers register themselves to a registration center TZC (e.g., their 
bank). The required trust in TZC should be minimum such that a cheating TZC 
can only refuse a registrational It is assumed that B can generate signatures 
(using an arbitrary signature scheme) under her “real” identity IDs and that 
the corresponding public keys have already been distributed. Furthermore there 

^ In particular, even a collusion of At and TZC should not be able to trace a buyer who 
did not redistribute a data item. Otherwise one can trivially use any known non- 
anonymous asymmetric scheme and simply let the initial key pair of the buyer be 
certified under a pseudonym whose owner is only known to the certification authority. 
This was overlooked in lUom 98|. 
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is no special restriction on the arbiter A. Any third party having access to the 
corresponding public keys should be convinced by the proof. The main subproto- 
cols of the construction are registration, fingerprinting, identification, and trial. 
Identification includes a variant “enforced identification” for the case where 7ZC 
refuses to cooperate. The main security properties are: 

— Security for the merchant: As long as collusions do not exceed a certain size, 
the merchant will be able to identify a traitor for each illegally redistributed 
item and to convince any honest arbiter. (In case 7ZC colludes with the 
traitors the identified traitor may be TiC.) 

— Security for the buyer and TZC: Nobody is unduly identified as a traitor; at 
least no honest arbiter will believe it. 

— Anonymity as sketched above; different purchases by one buyer should also 
be unlinkable. 

For the detailed definitions of the subprotocols and security properties we refer 
the interested reader to IPWli7hl . 

3 Overview of the Construction 

To see more precisely what we achieve, note that [PWflThj contains a modular 
construction: The first part, called framework, is a construction based on certifi- 
cates. At the end, the merchant holds a commitment com to a certain value emb 
and possibly other information. The buyer can open the commitment and may 
also hold other information. This framework guarantees that whenever the mer- 
chant later obtains emb, he can identify this buyer and win a trial against him. 
In the second part, the value emb is embedded into the data item in a way that 
does not release additional information about emb. The embedding procedure 
must guarantee that whenever a collusion of at most the maximum tolerated 
size redistributes a data item, the merchant will be able to reconstruct the value 
emb that was used by at least one traitor. For the second part, constructions 
were previously only known for the case of traitor tracing and for normal finger- 
printing without collusion tolerance. The latter is explicit, and one can see quite 
easily that the former (based on |F W97a] Section 4) can also be made explicit 
by using the efficient key selection protocol from Section 2.3 of the same paper 
in the appropriate places. The main technical part in |PWD7h| was to construct 
a suitable collusion-tolerant embedding procedure for normal fingerprinting. 

In contrast, the framework part in !PWD7h| is a comparatively simple con- 
struction where emb, the content of the commitment, is a signature with respect 
to a key that the merchant must not know, and the buyer proves with a general 
zero-knowledge technique that she knows such a key and a certificate by TZC on it. 
It is this first part that we replace with the explicit and much more efficient coin- 
based construction. It can then be combined with the known second parts. This 
gives us explicit overall constructions for collusion-tolerant anonymous traitor 
tracing and for anonymous normal fingerprinting without collusion tolerance. 
For collusion-tolerant normal fingerprinting, the construction in jPW97bj is not 
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explicit, but it is mentioned that all the steps in a secure 2-party computation 
look quite simple so that it should be possible to find simpler explicit realizations 
for them. This can in fact be done (each time exploiting either homomorphism 
- note that even the Reed-Solomon codes are a linear operation - or the effi- 
cient table-lookup from [PW97b| . end of Section 2.3), but we do not attempt to 
include details of that here. 

The basic idea for using digital cash systems with double-spender identifica- 
tion to construct an anonymous fingerprinting scheme is as follows: Registration 
will correspond to withdrawing a coin. (The “coins” serve only as a cryptographic 
primitive and have no monetary value.) The untraceability of the cash system 
will give us the unlinkability of the views of the registration center and the 
merchant. Redistribution of a data item should correspond to double-spending 
of the underlying coin, i.e., the value emb embedded in the data item will be 
similar to the response in a second payment with the coin. We could execute a 
complete first payment during fingerprinting, but actually our protocols can be 
simpler. (They are more like “zero-spendable” coins where each coin as such can 
be shown, but any response to a challenge leads to identification.) One new prob- 
lem is that while in a payment the response is given to the merchant in clear, in 
our case it must be verifiably hidden in a commitment. Another problem is that 
double-spender identification is usually a binary decision. In our case, however, it 
must be decided reliably under what copyright conditions the redistributed item 
was bought - e.g., there may be items that can be redistributed after a while. 
In the formal security requirements this is a value text input in fingerprinting 
and also in a trial. Thus the identification information must be linked to such a 
text during fingerprinting in a way that even a collusion of a merchant and the 
registration center cannot forge, although such a collusion can sign additional 
coins that look like belonging to a specific buyer. 

4 Construction 

Our explicit construction employs the ideas from the digital cash scheme in 
or, as we do not have the same double-spender identification, at least 
from the underlying blind signature scheme ;P93j . We make the following con- 
ventions: 

Algebraic Structure: All arithmetic operations are performed in a group Gq 
of order q for which efficient algorithms are known to multiply, invert, deter- 
mine equality of elements, test membership and randomly select elements. Any 
group Gq satisfying these requirements and in which the computation of discrete 
logarithms is infeasible can be a candidate. For concrete constructions one can 
assume that Gq is the unique subgroup of prime order q of the multiplicative 
group Z* where p is a prime such that q\{p — 1). 

Hash Function: Hash functions are denoted by hash. We have to make the 
same assumptions as in which is behavior similar to a random oracle. 
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Commitment Scheme: We use two commitment schemes. The first one is 
based on discrete logarithms in Gq (see [BKK90| for the one-bit version and 
based on [B( iP88| for the general version) . To commit to a value 
b G Zq, the committer needs generators g” , h” Gr Gq\ {1}, which are typically 
randomly generated and sent by the recipient. Then the committer selects x Gr 
Zq and computes the commitment y = b) = mod p. To open y, 

the committer reveals (6, x) . This scheme is information-theoretically hiding and 
it is binding under the discrete logarithm assumption in the corresponding group. 
Moreover due to the homomorphic property of this scheme one can commit 
to a number r G Z* using commitments to the bits of r: Let r = r,-2^ 

be the binary representation of r and BG^^{xj,rj) be commitments to the 
bits. Then Ul~JoiBG^^{xj,rj))^' = g"''h”^ = BG^^ {x,r) mod p with x = 
mod q. 

The second bit commitment scheme is based on quadratic residues (see 
PM81 IBCC88| 1. To commit to a bit b' the committer computes y = 
BG^^{x', b') = (—1)*' x'"^ mod n where x' Gr Z* and n is a Blum integer chosen 
by the committer. 

4.1 Key Distribution and Registration 

Registration Center Key Distribution: TZC randomly selects a group Gq 
and generators g, yi, 52 ^r Gq \ {1} and a number x Z* as its secret key. TZC 
also chooses a hash function hash. It publishes the group description, (y, 51 , 52 ), 
its public key h = g^ mod p and hash. 

The correctness of the group description (i.e., that p and y primes with 
q\{p—l) and generated in a way believed to exclude trap doors) and whether the 
generators are elements of Gg\{l} should be verified by other parties when using 
them. However, other parties do not rely on the randomness of the generators. 

Opening a one-time account: This phase is similar to IIBra94l . but in order 
to bind the identification information to a specific purchase text, each “account” 
is used only once. To open an account, B chooses i GrZ* randomly and secretly 
and computes h\ = y* mod p (with hig 2 yf 1). She gives h\ to TZC and proves that 
she knows i (using the zero-knowledge proof from ;tXI88j or, more efficiently, 
Schnorr identification (SEESH). First TZC verifies that the account number hi has 
not been used before. Then it stores hi in its registration database together with 
the claimed normal identity /Dg of this buyer. B gives a signature sig^g.i^„ on hi 
(with a suitable explanation) under her normal identity ZDg and TZC verifies it. 
This signature can be used in later trials to show that B is responsible for this 
“account number” hi. 

Withdrawal: The protocol is shown in Figure^ Essentially, TZC signs the com- 
mon input m = /ii 52 = g\g 2 mod p using a restrictive blind signature as in 
irai . Thus B obtains a signature a' = {z', a' , 5', r') on m' = = y(®y| mod p 

where s Gr Z* is chosen randomly and secretly by B. 
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Our protocol is also similar to the withdrawal protocol in ||l h in that an 
additional value is included in the hashing to obtain the challenge d and thus in 
the signing process. In our case it is the public key of the key pair ( sfc text, pfc text) 
from an arbitrary signature scheme, here Schnorr’s for concreteness . We 

call the triple {m' a coin. 



B TIC 

z ^ 

W Er Zq 

a ^ mod p 

» z,a,b 

s Er Zq i b ^ m mod p 

m' ^ m“, z' <— z^ 
sktext ErZ*, pkt^^ ^ mod p 

u, V Er Zq 

! U V r/ i^SU 1'^ 

a a g , 0 0 m 

c <— hash{m' , z' , a , b' , pkf.^^^) mod q 

c <— d /u mod q > 

? ? 7 * 

= ahd mod p, rrd = bz'^ mod p , r ^ cx + w mod q 

r' <— ru + V mod q 



Fig. 1. The Withdrawal Part of the Registration Protocol 



4.2 Fingerprinting 

The fingerpr inting s ubprotocol is executed between the (anonymous) buyer B 
and the merc nant This protocol differs (except for Step 1) from the payment 
protocol in |Bra94| . The common input is a text, text, describing the purchase 
item and licensing conditions. 

Step 1: B selects an unused coin coin' = {m' She uses the corresp- 
onding sktext to make a Schnorr signature siptext on text and sends {coin' , sigtext) 
to A4. Now .A 4 first v erifies the validity of coin' by computing c' = hash {in' , z',a', 

b',pktext) moci q ana checking whether m! ^ 1 and = a'h'^ and m''^ = h' z'" 
mod p hold |H7^ . We say that a coin is valid if and only if it passes these 
tests. He then verifies using pkt^^^t from coin'. 

Step 2: B takes the internal structure {is, s) of m' = g\"g 2 as the value to be 
embedded in the data item. Hence emb = {is, s), and 1 f t I' l — ] s, P 2 = s. 

Since At should not get any useful information on this value, B hides it in a 
commitment. While the certificate-based framework in IPWl)7hl could leave the 
type of commitment open, we have to provide an efficient link from the given 
representation of emb, i.e., m' , to the type of commitments needed in the later 
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embedding procedures. For normal fingerprinting with and without collusion 
tolerance, these are quadratic residue commitments to individual bits of emm 

We start this by producing discrete logarithm commitments to a binary rep- 
resentation of ri and r 2 '- The merchant M. sends generators g" and h” to B, and B 
sends back commitments com^j = where fc = 1, 2 

and Xkj &R M may choose the generators randomly once for all its buyers. B 
should verify that they are elements of Gq \ {!}. From these individual commit- 
ments, M. computes the commitments to ri and r 2 , i.e., cornu = 
for k = 1,2. Now B proves the following predicate P to Ad: The content of the 
commitments corrik is a pair (ri, r 2 ) S Z* x Z* with m' = mod p. This can 

be done in zero-knowledge as shown in Figure^ similar to other proofs concern- 
ing knowledge of representations of numbers with respect to certain generators 
following |( |1EG88U As usual, we could also use larger challenges c at the cost of 
the real zero-knowledge property. 

Note that this protocol does not prove that the values rkj are binary; such a 
proof will be a side effect of Step 3. 



B 



M 



k = 1,2 

(ri , T 2 ) ^ emb = (is, s) 

^kj ^ ^^j=Q ^kj^^ 

comkj ^ _ 

REPEAT N times 
ek,Vk Sfl 

V^gl^gl^ modp 
rcortik <— _ 

resfc ^ crfc -|- Ck mod q 
Zk ^ cxk + Uk mod q _ 

END REPEAT 



and 0 < j < i — 1 



comkj 

> cornu 



i-i 



npo 



com 



rcomu , V 
c 

resk,Zk 



c Gfl Z2 

gr<^^igres2 I y^ic ^ 

gi/resk i^i/Zk ^ rcomucom'^ modp 



Fig. 2. Step 2 of the Fingerprinting Protocol 



Step 3 : Now B additionally computes quadratic residue commitments on the 
same values ruj. As mentioned, these are needed as input to the embedding 

^ For traitor tracing, they are quadratic residue commitments to small blocks of emb 
represented in unary. Such a representation can also be derived efficiently from com- 
mitments to the bits. 
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procedures. We denote them by com'f. - = for x'^.^ Gr Z*, where 

n is a Blum integer chosen by the buyer. B sends these commitments to Ai 
and proves in zero-knowledge that the contents in each pair {comkj, are 

equal. Since one can only commit to bits when using the equality proof 

implies that the values r^j in Step 2 were binary. An efficient proof can again be 
carried out by fairly standard techniques. For instance, one can see two pairs of 
commitments BC^^ and BC^^, where both commitments in one pair contain 
“0” and in the other pair “1” , as a cryptographic capsule and proceed similar to 
pEEHz]. This is a proof with one-bit challenges and thus the least efficient part of 
our protocol. However, even if one only compares it with the simplest embedding 
procedure that might follow, fingerprinting without collusion tolerance as in 
|™| - one sees that quadratic residue commitments must be made on a portion 
of the data item significantly larger than the word emb to be embedded into it 
(so that the resulting changes are small). Thus the complexity of our last step 
is not larger than that of embedding. 

4.3 Identification 

After finding a redistributed copy of the data item, Ai tries to identify a traitor 
as follows: 

Step 1: At extracts a value emb = (ri,r 2 ) from the redistributed data item 
using the extraction algorithm from the underlying embedding scheme. This 
pair is (is,s) with s 0. A4 computes m' = modp and retrieves coin', 
text, and sig^^,J.^ from the purchase record of the corresponding data item. If he 
does not find the coin identifier m' , he gives up (the collusion tolerance of the 
underlying code may be exceeded). Otherwise he sends i to TZC. 

Step 2: TZC searches in its registration database for a buyer who is registered 
under the value hi = g\. It retrieves the values {IDs, sig coin) sends them to 
Ai. Note that A4 can enforce TZC's cooperation, see below. 

Step 3: Ai verifies the signature sigcom on hi. 

Enforced Identification This is a special case in identification if TZC refuses 
to reveal the information requested by At: 

Step 1: Ai sends proof i = {coin', {i, s)) to an arbiter A. 

Step 2: A verifies the validity of coin' using the algorithm from Step 1 of 
fingerprinting and that m' = gfg^ mod p. If this is wrong, A rejects ATs claim. 
Otherwise she sends i to TZC and requests the values {IDs, sig coin)- Then A 
verifies them as At does in Step 3 of the identification. 

4.4 Trial 

Now Ai tries to convince an arbiter A that B redistributed the data item bought 
under the conditions described in text. The values IDs and text are common 
inputs. 
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Step 1: j\4 sends to A the proof string 

proof = ((i, (coin', s). 

Step 2: A computes hi = g\ modp and verifies that is a valid signature 

on hi with respect to IDq. If yes, it means that i, the internal structure of an 
account number hi for which B was responsible, has been recovered by M and 
thus, as we will see, that B has redistributed some data item. Note that i alone 
is not enough evidence for A to find B guilty of redistributing a data item under 
the specific text, text. 

Step 3: A verifies the validity of coin' , that m' = g^fg^ mod p holds, and the 
signature sigfg,^^ on the disputed text using the test key pk^g,^i contained in coin'. 
These verifications imply that if the accused buyer owned this coin, she must 
have spent it in the disputed purchase on text. Now A must verify that this 
coin belongs to It is not possible to do so by only showing the link between 
the coin and the withdrawal (which could be fixed by a signature from B under 
TZC's view), because a collusion of M and TZC could forge such a link. (Interested 
readers can find the attack in Appendix El) Thus A performs the following last 
step where B is required to take part. 

Step 4: A asks B whether she has withdrawn another valid coin, i.e., a tuple 
eoin* = (m* , a*) with pk^g,^^ fy pktext using the one-time account hi. If 

yes, B has to show the representation of m*, i.e., a value s* such that m* = 
gl'' P 2 .liB can do that, then A decides that TZC is guilty, otherwise B. 

5 Security of the Construction 

We now present detailed proof sketches of our construction. We assume that all 
the underlying primitives are secure. The merchant’s security only relies on the 
security of the underlying embedding scheme, the buyer’s on standard crypto- 
graphic assumptions. The security for the registration center needs the restric- 
tiveness of the blind signature scheme, and we will make a precise assumption 
for this. Anonymity is information-theoretic. 

5.1 Security for the Merchant 

Due to the properties of the underlying embedding scheme, we can assume that 
whenever the maximum tolerated size of a collusion is not exceeded, and the 
collusion redistributes a data item sufficiently similar to the original, then M. 
can extract a value emh that belongs to a traitor with very high probability. More 
precisely emh is the value to which the traitor could open the final quadratic- 
residue commitments given in the corresponding purchase. 

The zero-knowledge proofs in fingerprinting guarantee that this value emh 
is a pair (ri,r2) such that g'f^g^^ = m' fy 1 , where m' is the identifier of the 
coin used in this purchase. Thus M can retrieve a valid coin' and the pair 
(i,s) = (ri/r2,r2). This enables him to ask TZC for identification and, in the 
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worst case, have it enforced by A. Moreover, he can retrieve text and a valid 
signature Together with the values that TZC must return, Ai therefore 

obtains a valid proof string proof and passes the first three steps of the trial. 
This is sufficient because the Step 4 of the trial only concerns M’s decision on 
whether TZC or B is guilty. 

A4 is also protected from making wrong accusations (and thus possibly dam- 
aging his reputation): Even if there are more than the tolerated number of 
traitors, AVs verifications in identification guarantee that whenever he makes 
an accusation he will not lose in the trial. 

5.2 Security for the Buyer 

Consider an honest buyer B and a trial about the purchase on a specific text, 
text, for which B has not revealed the corresponding data item. She is secure if 
the attackers cannot convince an honest arbiter A in this trial, even if the other 
parties collude and obtain other data items that she bought (active attack) . Such 
situations occur, e.g., if B is allowed to redistribute another item after a certain 
period of time. 

Step 2 of the trial guarantees that B is only held responsible for one of her 
own one-time account numbers hi = g\, and that the attackers must know i. 

First it is shown that the attackers cannot find i unless they obtain the result 
of a purchase where B has used a coin coin* withdrawn from the account h\. 
The only knowledge the attackers can otherwise obtain about i in our protocol 
is: (1) hi itself, (2) the proof of knowledge of i in registration, and (3) the 
commitments on emh = {is, s) and two zero-knowledge proofs in fingerprinting. 
Additionally, they might obtain information in embedding, but by definition of 
secure embedding this is not the case. If the proofs are actually zero-knowledge 
and the commitments semantically secure, computing i from all this information 
is as hard as computing it from hi alone, i.e., as computing a discrete logarithm. 
(If we use Schnorr identification and a similar proof in fingerprinting, security 
relies on the joint security of these identification protocols against retrieval of 
the secret key.) 

Hence the only way for the attackers to find i is in fact to obtain the resulting 
data item in a purchase where B has used coin* based on hi. Let text* be 
the text describing that purchase. By the precondition, we know that text* yf 
text. The secret key corresponding to potest coin* is known only to B, 

and B reveals no information about it during registration, fingerprinting, and 
redistribution except making one signature on text* with it. As we assume that 
the underlying signature scheme is secure against active attacks, this does not 
help the attackers to forge a valid signature with respect to pk*^^,^^ on text. 

Now, even if the attackers are a collusion of A4 and TZC and succeed in 
constructing a wrong coin coin a with a self-made pkf^,^f, which passes all M’s 
verifications so far, B wins by showing coin* with yf pkf^xt- 




160 Birgit Pfitzmann and Ahmad-Reza Sadeghi 



5.3 Security for the Registration Center 

An honest registration center TZC should never be found guilty by an honest 
arbiter A. This could happen in two cases: 

1. In enforced identification if M. can send a value proof i that convinces A, 
but TZC cannot reveal the required registration data under the identity i. 

2. In a trial if the attackers (a collusion of At and B) can generate two valid 
coins, coin' and coin*, withdrawn from the same account hi, i.e., their rep- 
resentations correspond to the same hi. 

To exclude both cases, we need the restrictiveness of the underlying blind signa- 
ture scheme. The corresponding assumption in |BraD4j is fairly informal, so we 
formalize it in a version that suffices for our purpose. Note that although this 
version seems closest to Brands’ formulation, for his payment system a weaker 
assumption would be sufficient , and the corresponding definition in |FY^ is also 
of that weaker form: For the payment system one only needs that all the coins 
the attackers can construct correspond to some account of the attackers. For 
Case 2 of TZC’s security, we need that the attackers cannot even transform coins 
between their own accounts. (In fRra,94j . Definition 5, this is somehow implicit 
because a one-to-one correspondence between constructed coins and withdrawal 
protocols is assumed a priori.) We only need the case with one-time accounts, 
but we formulate the general case, and also for any number of generators. We 
first introduce some notation: 

— Let gengroup be an algorithm that generates a group from the given family 
(see Section 0) and a fixed number n + 1 (in our concrete case n = 2) of 
random generators g and gi,...,gn- Its output {p,q, g, gi,...,gn) is denoted 
by desc. 

— Let gcnkey be the key generation algorithm that takes as input a value desc 
and outputs a key pair (sk,pk), here (x,g^). 

— Let valid (desc, pk, (m',par,a')) be the predicate for validity of a coin as in 
Step 1 of fingerprinting (where par may be an arbitrary value in the place 
of Pktext)- 

— By the predicate repr we denote that a vector I = (ii,...,i„) G Z” is the 
representation of a message m G Gq, i.e., 

repr(m,I) : 4=^ m = g\h-glf- 

— blindsig is the protocol between a signer S and a (dishonest) recipient TZ 
shown in Figure [D Signer and recipient are interactive probabilistic polyno- 
mial-time algorithms, and in our case S always follows the protocol and 
TZ need not. The signer inputs sk and a message m, and the recipient has 
an arbitrary auxiliary local variable aux as input; it models the attacker’s 
memory between protocol executions. The signer has no final output, while 
the recipient outputs an update aux" of its auxiliary variable. If the recipient 
wants to continue the attack, we also let him immediately output the message 
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m" that the signer should sign next, and we also allow another output o" . 

We write one such interaction as 

{{aux" ,m" ,o''),—) ^ hlindsig{TZ{aux),S{sk,m)). 

We now consider a dishonest recipient TZ who executes the withdrawal protocol 
with an honest Brands signer S polynomially many times. In addition, TZ has to 
show a representation Ij of each input message rrij . (Note that we make the as- 
sumption with actual outputs in places where the real protocols only have proofs 
of knowledge.) At the end, TZ outputs valid signatures, again with representa- 
tions of the signed messages. The assumption (or, implicitly, the definition of 
strong restrictiveness) is that all the output representations are scalar multiples 
of input representations, and in a kind of one-to-one mapping. To express this 
easily, let < ... > be a notation for a multiset (i.e., unordered like a set but 
possibly with repetition). We use C to denote the subset relation for multisets, 
i.e., each element on the left must also occur on the right with at least the same 
multiplicity. Finally, for any vector (representation) / 0 let / denote the line 

it generates, i.e., the set of its scalar multiples. 

Assumption 1 (General Strong Restrictiveness) Let TZ denote a proba- 
bilistic polynomial-time interactive algorithm, Q a polynomial and I a security 
parameter. Then for all Q and for all TZ that interact with the Brands signer for 
k = Q{1) times: 



P(-(< /(,... >C</i,... ,/fc >) 

AVj = 1, . . . , fc : repr{mj,Ij) 

AVj = 1, . . . ,k' \ {repr{ml, Ij) A valid{desc, pk, {mb, par <jb))) 
A all pairs {mb, par are different 
:: desc ^ gengroup{l)\ k := Q{1)-, {sk,pk) ^ genkey{desc)-, 

{{auxi,mi, Ii), —) ^ TZ{1, desc, pk); 

{{aux 2 ,m 2 , h), —) ^ blindsig{TZ{auxi),S{sk,mi)); 



{{auxk,mk,Ik),-) ^ blindsig{TZ{auxk-i),S{sk,mk-i)); 

{auxk-ki, —) ^ blindsig{TZ{auxk),S{sk,mk)); 

{k',{{m[,par.^,cj[),... , {m'^, , par , {![,... ,I'k,)) ^ TZ{aux k-^i) ) 

< l/poly{l). 

Next we return to the security of fingerprinting and consider a successful attacker 
TZ* against TZC’s security. As TZC never uses its secret key except in the blind 
signature protocol within registration, TZ* can be seen as an attacker against 
the blind signature protocol with n = 2. The only difference to the scenario in 
Assumption [D up to the choice of auxk-^i is that TZ* need not output the values 
Ij, but instead gives a proof of knowledge of ij in the specific representation 
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rrij = g^i g 2 - We combine TZ* with the extractor for these proofs of knowledge to 
obtain another attacker TZ that also outputs Ij, so that Assumption Q] applies. 

We now consider the two cases of how TZC could be found guilty by an honest 
arbiter with the new attacker TZ. 

In Case 1, the attackers need a valid coin coin' = {m' and a 
representation I = {is, s) of m' such that no withdrawal with respect to hi = g\ 
was performed. (If TZC does find such a withdrawal it is clear that the retrieved 
values pass .A’s tests.) However, by Assumption^ / is a scalar multiple of one of 
the original representations, say Ij. As Ij is of the form {ij, 1), this means that 
i = ij and thus a withdrawal with hi = g\ was performed. 

In Case 2, the attackers must show two valid coins coin' = {m' ,pk^g„.^,a') 
and coin* = {m* , pkf,,,^^, a*) with pk\f,„,i yf V^text representations {is,s) of 
m! and {is* , s*) of m* with the same i. These output representations lie on the 
same line I with / = {i, 1). By Assumption QJ this I and thus hi = g\ also have 
to occur twice among the input representations. However, TZC ensures that each 
account is only used once. This finishes the proof that such a successful attacker 
cannot exist. 

5.4 Anonymity 

Due to the properties of the underlying cash system the views of TZC and Ad 
concerning the withdrawal of a coin and its verification are unlinkable. 

We now consider the additional information in registration and fingerprint- 
ing: Obviously, ™ registration is no problem because the only additional 

information it is based on {B's secret key) is not used in fingerprinting. Simi- 
larly, sigf .^,^1 in fingerprinting is no problem: The only additional information it 
is based on is sktext- However, an information-theoretic attacker can compute 
sktext from which is already transmitted in the coin, and we know that 

the coin-related data in the underlying cash system are not linkable. 

The value emb in fingerprinting, which is based on the same i that is also used 
in fingerprinting, is hidden in bit commitments. The first commitment scheme 
used, based on discrete logarithms, is information-theoretically hiding and the 
second one, based on quadratic residues, is hiding under the Quadratic Residu- 
osity Assumption. Moreover the zero-knowledge protocols used in fingerprinting 
do not leak information about emb and the embedding operation is assumed not 
to leak such information either. 

Furthermore using one-time accounts implies that B's different purchases 
are unlinkable, even if a purchased data item has been redistributed and the 
information contained in it recovered. 

6 Conclusion 

We have presented an anonymous fingerprinting scheme where all protocols are 
explicit and fairly efficient. The complexity is lower than that of any known 
embedding procedure that might follow, so that the anonymity is currently not 
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the bottleneck for implementation. A disadvantage of this scheme in comparison 
with the previous one based on general zero-knowledge techniques is that the 
buyer is needed to carry out a fair trial; we hope to find a scheme that combines 
explicitness and 2-party trials in the future. 

Of course, embedding for any asymmetric scheme is still rather an expensive 
procedure because commitments on a significant fraction of the data are needed, 
and the data must be long because otherwise one could not hide enough bits in 
them, at least if one desires collusion tolerance. 

Acknowledgments: We thank Matthias Schunter and Michael Waidner for 
generous and fruitful discussions. 
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A Linking a Self-Made Coin to a Correct Withdrawal 

In this appendix, we show the attack that motivates the last verification step in 
the trial, as mentioned in Section lO 

Let hi be an account number of B and coin* = {m ' (with a' = 
{z' ,a' ,b' ,r')) be the coin that B withdrew from this account and used in a 
purchase with the text text*. Note that a' = a^g'" = mod p and b' = 

mod p. 

Assume now that the attackers are a collusion of A 4 and TZC and have access 
to the data item that B has bought in this purchase. Then they know emb = 
(is,s), w, X, vieWmthdraw = (o, c), T, and the additional signature that 

B would give to fix vieWwithdraw before receiving r. 

As sig*^^^ fixes the values (a, b, c) that can be used together with the given 
hi, the attackers want to link a self-made coin coin'^, in particular with a self- 
made pkfg,^f, for which the attackers know to these values. For this, they 

randomly select wa ^9 and compute 0(4 = g'^^ mod p and 6(4 = mod p. 

Then they compute = hashijn' , z' , pkf^,^^). Since c is fixed they first 

compute UA = cIaI'^ mod q and then va = wa — wua and r/4 = ruA + va mod q. 
In this manner they obtain values which pass all verifications by A. 

Finally, the attackers can use skf^^.^ to sign any text they like with respect 
to this coin. 
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Abstract. In this paper we discuss various aspects of cryptosystems 
based on hyperelliptic curves. In particular we cover the implementation 
of the group law on such curves and how to generate suitable curves for 
use in cryptography. This paper presents a practical comparison between 
the performance of elliptic curve based digital signature schemes and 
schemes based on hyperelliptic curves. We conclude that, at present, 
hyperelliptic curves offer no performance advantage over elliptic curves. 



Elliptic curve cryptosystems are now being deployed in the real world and 
there has been much work in recent years on their implementation. A natural 
generalization of such schemes was given by Koblitz who described how 
the group law on a Jacobian of a hyperelliptic curve can be used to define 
a cryptographic system. Almost all of the standard discrete logarithm based 
protocols such as DSA and ElGamal have elliptic and hyperelliptic variants. 
This is because such protocols only require the presence of a finite abelian group, 
with a large prime order subgroup, within which the basic group operation is 
easy whilst the associated discrete logarithm problem is hard. We shall not 
discuss these protocols in this paper since everything that can be said for elliptic 
curve based protocols can usually be said for hyperelliptic curve based protocols. 
Instead we shall concentrate more on the underlying group: In particular how 
one performs the group operation and how one produces groups of the required 
type. 

The Jacobian of a genus g hyperelliptic curve will have roughly q® points 
on it, where q denotes the number of elements in the field of definition of the 
Jacobian. By choosing hyperelliptic curves of genus greater than one we can 
achieve the same order of magnitude of the group order with a smaller value for 
q when compared with elliptic curve based systems which have g = 1. This has 
led some people to suggest that hyperelliptic curves may offer some advantages 
over elliptic curves in some special situations. For example if we wanted to only 
perform arithmetic using single words on a 32-bit computer we could choose 
g = 5 or 6 to obtain group orders of around 160 to 192 bits. 

One has to be a little careful as to how large one makes g, since for large 
genus there is a sub-exponential method to solve the discrete logarithm problem 
p. However this does not appear to affect the security of curves of genus less 
than 10 over field sizes of around 32 bits. 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. IfiS- TrTTI 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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In this paper we give an overview of the group law on a curve of genus g in 
arbitrary characteristic. We shall give a more efficient reduction method than the 
standard method of Cantor |^. This is an immediate extension of the method 
of Tenner reduction from m- We shall then describe various techniques for 
generating hyperelliptic curves for use in cryptography. 

Finally we report on an actual implementation of a hyperelliptic digital sig- 
nature algorithm. We will conclude that hyperelliptic systems, with current al- 
gorithms, are more efficient in characteristic two but appear to offer no practical 
advantage over elliptic curve systems. 

1 Arithmetic 

In this section we summarize the details and leave the reader to consult ^2] for 
a fuller explanation. A hyperelliptic curve, C, of genus g will be given in the 
form 



C :Y^ + H{X)Y = F{X) 

where F{X) is a monic polynomial of degree 2g + 1 and H{X) is a polynomial 
of degree at most g. Both H{X) and F{X) have coefficients in Such a curve 
is non-singular if for no point on C(Fq) does there exist a point for which the 
two partial derivatives, 

2Y + H{X) and H'{X)Y - F'{X), 

simultaneously vanish. We shall always assume that the curve C is non-singular. 

In odd characteristic fields we will always assume that H{X) = 0, whilst in 
even characteristic fields we will assume that H{X) = 1, for reasons which will 
become clear later. Notice that if H{X) = 1 then in characteristic two any choice 
for the polynomial F{X) will give rise to a non-singular curve. 

The above representation gives rise to a so called ‘imaginary’ quadratic func- 
tion field. It is given this name since there are no units of infinite order and the 
arithmetic in the Jacobian closely mirrors the arithmetic one uses for the class 
group of an imaginary quadratic number field. 

We can also define a hyperelliptic curve of genus g to be given by an equation, 
like that above but, with degF = 2g + 2. This gives rise to a ‘real’ quadratic 
function field. It is easy to see that, unlike the number field situation, an imag- 
inary quadratic function field can be viewed as a real quadratic function field 
after making a change of variables. However, just as in the case of the class group 
of real quadratic number fields, the arithmetic in the Jacobians of real quadratic 
hyperelliptic curves is more involved and requires the use of ‘infrastructure’. The 
reader should consult m for an explanation of the algorithms required and US! 
for a complexity analysis of the two situations. For the rest of this article we will 
concentrate on the imaginary quadratic representation, which is more suited to 
efficient implementations in practice. 

Following Cantor and Koblitz, an element of the Jacobian of C will be given 
by two polynomials a, 6 S Fg[x] which satisfy 
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i) deg 6 < deg a < g. 

ii) 5 is a solution of the equation b"^ + Hb — F (mod a). 

Addition in the Jacobian is accomplished by two procedures: Composition and 
Reduction. Given (ai,6i) and (02,62) the composition of these two elements in 
the group of divisors is given by (03, 63) using the following algorithm due to 
Cantor and Koblitz: 



Composition 



1. Perform two extended gcd computations to compute 

d = gcd(oi, 02, 61 + 62 + iJ) = sioi + S2O2 + 53(61 + 62 + iJ) . 

2. Set 03 = 0102/(6^ and 

3. 63 = (S1O162 + S2O261 + 53(6162 + i^))/(i (modo3). 



Note that 03 will have degree at most 2 g and hence (03, 63) will most probably 
need to be reduced. We shall return to this later. Notice, however, that for 
cryptography the most important composition step is doubling, where oi = 02 
and 61 = 62. This is because in discrete logarithm based systems we wish to 
perform a multiplication operation on the Jacobian. Using window techniques 
this involves mainly the doubling of elements rather than a general composition. 
Hence it is important that doubling an element can be accomplished efficiently. 
With our above choice of curves in odd and even characteristic we find: 

Doubling in Odd Characteristic Fields 

Since we have chosen H{X) = 0 the doubling operation simplifies to: Put d = 
gcd(oi, 26i) = 5101+53(261) then 03 = (ai/c6)^ and 63 = (25iOi6i+S3(6i+F))/(i. 

Doubling in Even Characteristic Fields 

Now since we have H{X) = 1 the doubling operation simplifies to: Put 03 = a\ 
and 63 = 6f + F (mod 03). This is much simpler than the odd characteristic step 
and contributes to much faster times for the verifying of messages using curves 
over even characteristic fields, see below for details. 

We shall now describe the reduction step, which given the result (03, 63) of a 
composition will return an element, (a, 6), of the Jacobian with deg a < g. The 
element (03,63) represents an element in the group of divisors. Since we are in 
an imaginary quadratic situation every divisor class (and so every element in 
the Jacobian) can be represented by a unique, so called reduced, divisor. The 
reduction step takes the divisor represented by (03,63) and returns the unique 
reduced divisor (0,6) in the same divisor class as (03,63). As mentioned above 
we use a variant of Tenner reduction which is more efficient than the method 
given by Cantor and Koblitz. 
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Reduction 



1. a = {bl + bsH - F)/as. 

2 . (u, 6 ) = quo/rem (— 63 — R, a) . 

3. While deg a > g 

4. a* = as + u{bs — b) . 

5. as = a,a = a*,bs = b. 

6 . (u, 6 ) = quo/rem (— 63 — R, a) . 



4. 

5. 

6 . 



This is exactly the same as the standard method except for Step 4. In this 
step we have replaced the division a* = {b^ + Hb — F) ja with simpler operations, 
on noticing that u in general will have small degree whilst deg a in Step 4 could 
be at most 2g — 2. To see that Step 4 is equivalent to the standard method we 
notice that u = (—63 — H — b) /a and so 



In jO] the extended Euclidean algorithm is analyzed in the context of hyper- 
elliptic cryptosystems. As we have already pointed out for even characteristic 
fields for the most important operation, point doubling, no extended Euclidean 
algorithm is required. Most of the effort in performing a sign or verify operation 
is in the reduction step. Hence analyzing the reduction step is far more impor- 
tant, luckily this has already been done in where it is shown that the above 
reduction step takes 12g^ + 0{g) field operations, in jlSj the standard method 
is stated to take 3g^ + 0{g^) field operations. However, a complexity analysis 
can often be inapropriate since complexity only deals with the assymptotics of 
an algorithm. In real life the relative performance of algorithms in small ranges 
can depend on factors such as cache size and processor type. 

2 Curve Generation 

There are many ways, in theory, that one could proceed if one wanted to produce 
curves suitable for use in cryptography. Many of the methods are analogues of 
those used in the elliptic curve case. The order of |J(Fg)| can be computed in 
polynomial time using methods due to Adleman, Huang and Pila, see 0 and I2D1, 
which are themselves generalizations of the method of Schoof | 2 S| used in the 
elliptic case. There is no implementation of this method for genus greater than 
one at the present time. This is probably because the algorithm, although easy 
to understand, appears very hard to implement. Another reason is that there 
is no known analogue of the improvements made by Atkins and Elkies to the 




{b^ + Hb- F)/a. 
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original School algorithm. Hence only the ‘naive’ School algorithm is available in 
genus greater than one. Such an algorithm appears hopeless as a method, since 
the ‘naive’ School algorithm is lar too inefficient even lor elliptic curves. 

The lact that it seems unlikely that anyone can compute the order ol J(IFq) 
lor a general curve ol genus 5 or 6 could lead one to propose that one should not 
worry. For example, il I do not believe that someone can compute the order ol 
J(IFq) then I do not need to worry about many ol the attacks on such systems, 
since most attacks such as Pohlig-Hellman require knowledge ol the group order. 
This ol course also means that our protocols need to be changed so that they 
do not require knowledge ol the group order. Although this is a possible ap- 
proach, it is to be rejected as it is assumes that someone will not make a known 
polynomial time algorithm run efficiently. Our security is therefore not built on 
the difficulty ol some underlying mathematical problem but on the difficulty ol 
programming a known algorithm efficiently. 

Just as for elliptic curves one can compute hyperelliptic curves using the 
theory ol Complex Multiplication (CM) . This has been worked out in detail for 
the case ol g = 2 in m and uses the class groups ol complex quadratic extensions 
ol real quadratic number fields, which are the quartic CM fields. Clearly the class 
numbers of any such field used should be small, and hence the curves which are 
produced will in some sense be ‘special’. In the CM method for hyperelliptic 
curves multi-variable analogues of the Hilbert polynomial are constructed, the 
roots of which modulo p gives the j-invariants of the curve. The curve is then 
recovered from its ^'-invariants. 

This method is only currently effective in genus two since the j-invariants of 
a hyperelliptic curve have only been worked out for genus less than three. The 
invariants used are the Igusa Invariants HH which are linked to the classical 
19th Century invariants of quintic and sextic polynomials. After the demise of 
classical invariant theory at the end of the 19th Century the drive to compute 
invariants of the higher order quantics, as they were then called, died out. Even 
today with the advent of computer algebra systems this seems a daunting task. 
One way around this problem, which still uses CM, is to use reductions of hy- 
perelliptic curves defined over Q which have global complex multiplication, see 

However, here one is restricting to an even more special type of hyperelliptic 
curve than the general CM method above. 

Another technique is to use the theory of the modular curves, Xq{N), see 
0 and m Such curves are well studied and much is known about them. This 
enables us to compute the orders of the Jacobians of such curves in a much easier 
way than other general curves. However, paranoid readers should beware since 
they are well understood curves with special properties they may be susceptible 
to some new attack which makes use of the fact that they are modular. 

Koblitz, in ca, suggests using curves of the form 



v'^ + v = u”. 
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over some finite prime field IFp. Given such curves he then gives a procedure to 
determine the group order by evaluating a Jacobi sum of a certain character. 
We refer the reader to Koblitz’s book for details. However once again we are 
restricting to a very special type of curve which may be susceptible to some, as 
yet unknown, attack. 

In characteristic two one can use curves defined over subfields m just as 
one can do for elliptic curves. For example a simple search found the curves in 
Tabled which all have subgroups of their Jacobians of ‘large’ prime order; We 
could also use such a technique to generate curves over IFp, where p is a small 
odd prime and look at the Jacobian over IFpn. 



Table 1. Curves of the form + Y = F{X) 



IF. 


F{X) 


logaP 

where p #J(F,) 


IF 231 




150 


IF229 


X« -^X"" -tx’^ -tx 


157 


IF229 


X“ -t X“ -t X'^ -t X + 1 


153 


IF229 


Xi3 -^X“ FX"^ + X^ + 1 


169 


IF229 


X“ -tx“ -tx® -tx® -t 1 


170 


IF229 


Xi3 + -t X® -t X^ -t X® -t X -t 1 


152 


IF 231 


X13 -^X"" + X'^ + X^ + X 


162 


IF231 


Xi3 -^X“ -tx® -tx + 1 


154 


IF231 


X“ -tx“ -tx® -tx® 


158 


IF231 


Xi3 -^X“ -tx® -tx^ 


178 


IF 231 


Xi3 + -t X® -t X'^ -t X® -t X -t 1 


181 


IF 231 


X®® -tx 


207 


IF231 


X®® -t X® -t X® -t X 


200 



Apart from the, currently unimplemented, method of Schoof, Pila et al the 
above methods do not seem very pleasing. It is a good general principle never to 
choose a curve with ‘special structure’, and all of the above schemes use ‘special’ 
properties of the curves to make the group order computation easier. 

To see why one should avoid special curves one only has to look at the history 
of elliptic curve cryptography. In the past various authors proposed using super- 
singular or anomalous curves as they offered some advantages over other more 
general curves. However, both types of curves are now known to be weak, see 
H, m. m and m Hence it is probably worth adopting the principle of al- 
ways avoiding special curves of any shape or form. In the current authors opinion 
this is the major open problem with using hyperelliptic curves for cryptographic 
purposes: How to choose a suitable curve efficiently ? 
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3 The Discrete Logarithm Problem in Hyperelliptic 
Jacobians 

The security of hyperelliptic cryptosystems is based upon the difficulty of solving 
the discrete logarithm problem in the Jacobian of the curve. We summarize 
the main characteristics of the possible attacks on the hyperelliptic discrete 
logarithm problem below. The reader should note that in all but one case they 
closely mirror analogues for the elliptic curve discrete logarithm problem. 

Apart from the generic discrete logarithm algorithms such as the baby-step / 
giant-step and the rho/kangaroo method there are three known methods which 
are specific to hyperelliptic curves. Two of these give rise to two weak classes of 
hyperelliptic curve cryptosystems: 

1. Curves of order n over IF^ such that = 1 (mod n) for some small value 
of n. This is due to a generalization of the method of Menezes et al ^3] for 
supersingular elliptic curves due to Frey and Riick 0. 

2 . Anomalous curves over IFp and in general curves which have a large subgroup 
of order p in a field of characteristic p. This attack uses a generalization due 
to Riick m of the anomalous curve attack for elliptic curves due to Semaev, 
Satoh, Araki and Smart, see m, m and m- 

However, such cases are easy to check for and only eliminate a small fraction of 
all possible curves. 

For hyperelliptic curves the most interesting case, from a theoretical stand- 
point, is when the genus is large in comparison to the size of the field of definition 
of the Jacobian. In this case there are conjectured subexponential methods. The 
first of these was due to Adleman, De Marrais and Huang which is based on the 
number field sieve factoring method. 

Paulus mi and Flassenberg and Paulus 0 have implemented such a method 
for solving discrete logarithms in Jacobians of hyperelliptic curves. Flassenberg 
and Paulus did not, however, use the method of Adleman, De Marrais and 
Huang directly. Instead they made use of the fact that our hyperelliptic curves 
correspond to real quadratic function field extensions. Using the analogy between 
quadratic function fields and quadratic number fields, Flassenberg and Paulus 
adapt the class group method of Hafner and McCurley jin) (see also |5j). Then 
combining this with a sieving method they obtain a working method which can be 
applied to hyperelliptic curves of relatively small genus. It should be pointed out 
that although Flassenberg and Paulus do not actually solve discrete logarithm 
problems their methods are such that they can be easily extended so that they 
do. 

Flassenberg and Paulus compared their algorithm to the baby-step / giant- 
step approach. Over finite prime fields, IFp, their implementation of the Hafner- 
McCurley method beat the baby-step / giant-step method, as soon as 3g > logp. 
However, this is only given a very small sample size. But it would appear, for 
theoretical reasons as well, to be a good rule of thumb to avoid curves for which 
2g > logg. Hence if g « IF 231 then we should avoid curves whose genus is larger 
than eleven. 
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4 Implementation 

In |22j the number of bit operations for implementing a hyperelliptic cryptosys- 
tem is studied and compared with both ECC and RSA systems which offer 
roughly the same level of security. It is concluded that hyperelliptic cryptosys- 
tem could be efficient enough in practice to use in real life situations. Following 
on from this work in m an implementation of such a system is described. How- 
ever this implementation makes no use of Tenner reduction and generally uses 
field sizes which require more than a single word to represent each field element. 

We decided to implement the group law in the Jacobian for curves of arbitrary 
genus over F 2 « and Fp, where p is a prime. We decided to choose values of p 
and n such that p and 2" are less than 2^^. This choice was to make sure that 
our basic arithmetic could all be fitted into single words on our computer. Such 
curves and fields have attracted some interest in the community in recent years 
since they may offer some implementation advantages. In even characteristic 
we used a trinomial basis while in odd characteristic we used a small in-lined 
machine code subroutine to perform the modular multiplication. Field inversion 
in both cases was carried out using a modification of the binary method. 

The general multiplication algorithm on the Jacobian for curves defined over 
odd characteristic fields ended up being around twice as slow as that for even 
characteristic fields, of an equivalent size, in genus two. In genus five the odd 
characteristic fields were nearly three times slower. This fact led us to only 
implement a full digital signature scheme in characteristic two. 

For the signing operation the multiplication performed is on the fixed group 
generator. Hence this can be efficiently accomplished using a precomputed table 
of powers of the generator. The verification step requires two multiplications, 
one of the generator and one of a general point. Hence for verification we cannot 
use precomputed tables and the difficulty of doubling an element will dominate 
the computation. For the general multiplication, used in the verification step, we 
used a signed window method, since negation in the Jacobian of a hyperelliptic 
curve comes virtually for free. 

Our timings, in milliseconds, for a hyperelliptic variant of the DSA method 
(HCDSA) are given in Table These timings were obtained on a Pentium Pro 
334MHz, running Windows NT, using the Microsoft Visual C-|— I- compiler. We 
also give an estimate of the timings for an elliptic curve (ECDSA) system with 
approximately the same group order. 

The elliptic curve implementation made no use of special field representa- 
tions, such as using the subfield structure. The even characteristic field repre- 
sentation for the elliptic curve system was a standard polynomial basis. The odd 
characteristic field (of size approximately 2^®^) used for the elliptic curve system 
used a Montgomery representation. 

So we see that even though the finite field elements fit into a single word the 
extra cost of the polynomial arithmetic needed for operations in the Jacobian 
makes the time needed to perform the complete set of hyperelliptic curve op- 
erations over four times slower than in the elliptic curve case. If more efficient 
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Table 2. HCDSA and ECDSA Timings in Milliseconds 



Curve 


Field 


Sign 


Verify 


HCDSA 3 = 5 


IFjsi 


18 


71 


HCDSA 3 = 6 


IF231 


26 


98 


HCDSA 3 = 7 


IFjai 


40 


156 


ECDSA 


IF2I6I 


4 


19 


ECDSA 


IFp 


3 


17 



elliptic curve techniques were used then the relative performance of the HCDSA 
algorithm would degrade even more. 

Given the relative difficulty of finding hyperelliptic curves for use in cryp- 
tography which do not possess some addition structure and the relatively poor 
performance of the HCDSA algorithm when compared to ECDSA there seems 
no benefit in using hyperelliptic curves. 

Of course further work could result in significant speed improvements for 
hyperelliptic systems. For example at present there appears to be no notion akin 
to the projective representation in elliptic curves. Another possible avenue for 
improvement is to use Frobenius expansions. Not as much work has been car- 
ried out in the hyperelliptic case to the study of Frobenius expansions compared 
to the elliptic curve case. These are useful for curves defined over small sub- 
fields, such as those used above. The only cases having been considered in the 
hyperelliptic case are in m. However, for elliptic curves Frobenius expansions 
techniques can be made very fast in all characteristics, see and 
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Abstract. A new elliptic curve scalar multiplication algorithm is pro- 
posed. The algorithm offers about twice the troughput of some con- 
ventional OEF-base algorithms because it combines the Frobenius map 
with the table reference method based on base-0 expansion. Further- 
more, since this algorithm suits conventional computational units such 
as 16, 32 and 64 bits, its base field Fpm is expected to enhance elliptic 
curve operation efficiency more than Fq {q is a prime) or F 2 " . 
Keywords: Elliptic curve cryptosystem, Scalar multiplication, OEF, Fi- 
nite field, Frobenius map. Table reference method. 



1 Introduction 

While speeding up modular exponentiation has been a prime approach to speed- 
ing up the RSA scheme, scalar multiplication of an elliptic curve point can speed 
up elliptic curve schemes such as EC-DSA and EC-ElGamal. In particular, el- 
liptic curves over {q is a prime) or F 2 " have been implemented by many 
companies and standardized by several organizations such as IEEE P1363 and 
ISO/IEC JTCI/SC27. 

For the F 2 « type, many efficient computational algorithms have been pro- 
posed. Koblitz introduced a base-()) expansion method that uses a Frobenius map 
to multiply F 2 n-rational points over the elliptic curve defined over F 2 ,F 4 ,Fg or 
Fi 6 in 0 Aluller and Cheon et. al. extended the base-()j expansion method 
to elliptic curves defined over F 2 r, where r is a small integer. Koblitz also ex- 
panded the base-0 expansion method to FgjFy in 0. 

However, since the calculation over small characteristic fields does not of- 
fer adequate speed on general purpose machines, very high-capacity tables or 
special-purpose machines are needed. If you select [log 2 p] (the bit size of a 
prime number p) to match the operation unit of an individual computer, the 
scalar multiplication of Fpm could be calculated faster than that of Fg or F 2 " 
where [log 2 P'"] should be close to [log 2 g] or |'log 2 2”] (= n) under the condi- 
tion of the same security level. Bailey and Paar newly proposed an elliptic curve 
scheme on OEF (Optimal Extension Fields), or an Fpm type, at Crypto’98 Q- 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 176-ESni 1999- 
© Springer- Verlag Berlin Heidelberg 1999 
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Their method represents the elliptic curve points using a polynomial basis. They 
showed that multiplication as well as addition and subtraction can be efficiently 
computed by introducing a binomial as a minimal polynomial. 

Though the original OEF method simply indicated how to compute addition 
and multiplication on F^m, efficient computational techniques similar to those 
developed for the F 2 « type have not been introduced to the OEF world. 

This paper extends the base-(/) extension method from F 2 ™ to the general 
finite field Fpm by using a table reference method. Several table reference meth- 
ods have been developed for schemes using fixed primitive points - base points 
- such as the DSA scheme jO]. Ours is the first to combine the Frobenius map 
and the table reference method and so does not need any pre-computation. It 
can be applied to any higher-characteristic elliptic curve as well as the small- 
characteristic. When p equals two, this method is reduced to Koblitz’s method. 
Different from Cheon’s method, this method isn’t limited to an elliptic curve 
defined on F 2 r. The method works over OEF-type elliptic curves because the 
table reference method is effective even if p is large. If you select p close to 2^®, 

232 

or 2®^, that are suitable operation units for computers, our method is about 
twice as fast as ordinary OEF methods. 

Section 2 describes the idea of our proposed method. Its procedure is given 
in Sect. 3. Section 4 shows how to construct the proposed OEF parameters. Its 
efficiency and further techniques are given in Sects. 5 and 6. Section 7 concludes 
this paper. 



2 Approach 

2.1 Frobenius Map 

In this section, we define the Frobenius map. Let F/Fp denote a non-supersin- 
gular elliptic curve defined over a finite field Fp where p is a prime or any power 
of a prime. P — (x,y) is an Fpm -rational point of elliptic curve E defined over 
Fp. The Frobenius map 4> is defined as 

(j) : (x,y) {xP,yP). 

The Frobenius map is an endomorphism over E(Fpm). It satisfies the equation 

(j)'^ - t(j) + p = 0, -2y/p < t < 2y/p. (1) 

Since E is non-supersingular, the endomorphism ring of E is an order of the 
imaginary quadratic field Q ( — 4p) |^. The ring is a subring of the 
endomorphism ring. 

To compute the Frobenius map 4> takes negligible time, provided that element 
a S Fpm is represented using a normal basis of Fpm over Fp. 
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2.2 Normal Basis and Polynomial Basis 

The elements of the field Fpm can be represented in several different ways; for 
example, “polynomial basis” and “normal basis.” In polynomial basis, element 
a e Fpm is represented as 



Ct — flm— ^ + • ■ ■ + CtiO + Oq. (2) 

where ai G Fp and a is a defining element of Fpm over Fp . 

In normal basis, a G Fpm is represented as 

a = am-ict^ + • • • + aio^ + aga (3) 

where G Fp and a is a generator of normal basis. 

Addition and subtraction in Fpm are quite fast in both representation forms. 
When you choose polynomial basis, multiplication and squaring can be done 
with reasonable speed. 

When you choose normal basis, the p-th power operation, which is equal 
to the Frobenius map, is quite fast. Though multiplication isn’t fast in general 
normal basis, there are several techniques for fast multiplication in F 2 m such 
as the optimal normal basis 0. Thus, fast algorithms for scalar multiplication 
using the Frobenius map PI have been developed using F 2 or its extension field 
represented by normal basis. 

On the other hand, we developed a fast Frobenius map algorithm for OFF 
PP which has a special polynomial basis. 

2.3 Frobenius Map for OFF 

Let OFF be the finite field Fpm that satisfies the following: 

— p is a prime less than but close to the word size of the processor, 

— p = 2" ± c, where log 2 c < n/2 and 

— An irreducible binomial f{x) = a:"* — oj exists. 

Although the paper P showed that OFF has an efficient algorithm for mul- 
tiplication and squaring, there was no discussion of the Frobenius map. In this 
section, we present a new algorithm to compute the Frobenius map in OFF. 

We consider the following polynomial basis representation of an element a G 
F pm : 

a = — ^ UiCt CLq 

where ai G Fp, a G Fpm is a root of f{x). Since we choose |"log 2 p] to be less 
than the processor’s word size, we can represent a using m registers. 

The Frobenius map moves a to 

(j){a) = -I- • • • -I- oio:^ -I- qq. (4) 
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Since a is a root of f{x) = 0, a™ = oj, 

where [xj is the maximum integer not exceeding x. 

Assuming gcd(m,p) = 1, {iip mod m) = {i 2 P mod m) is equivalent to i\ = % 2 - 
Thus, the map n{i) = ip mod m is bijective. 

We rewrite Equation using 7r(i) as follows: 

aP = H h a[a + a'g, 

where = aituL™ J . 

Since p, m and to are independent of an element a, we can pre-compute 
uji = Lcj^mi before computing the Frobenius map. Accordingly, the complete 
procedure to compute the Frobenius map to an element on OFF is as follows; 

[Frobenius Map Procedure for OEF] 

Input: [ao,... ,am-i] (= a) 

Output: [a'o, . . . , (= (j>{a)) 

Step 1: compute bi = QiUJi, for i = 1 to m — 1. 

Step 2: compute = bi, for i = 1 to to — 1. 

Step 3: Oq = oq. 



This procedure needs only to — 1 multiplications on Fp. This takes negligible 
time compared to multiplication on Fpm , which needs multiplications u on 

F 

r p. 

2.4 Base-^ Scalar Multiplication Method 

This section describes the basic idea of base-(/> scalar multiplication given by 
Koblitz0. 

Consider scalar multiplication, kP where k and P represent a scalar multi- 
plier and an elliptic curve point P, respectively. Consider fc = 15 as an example. 
By using the binary method, 15P is calculated as 2(2(2P -|- P) -|- P) -|- P by 
three elliptic curve doublings and three elliptic curve additions. If you use the 
signed-binary method, 15P is calculated as 2(2(2(2P))) — P by four elliptic curve 
doublings and one elliptic curve subtraction. General computational times are 
given by Table Q] where n = [log 2 p"*]. 

Base-0 expansion is generally calculated as follows: If an intermediate mul- 
tiplier ki is represented by ki = Xi + yi4> where xt and yi are integers, xq = k 
and I/O = Oj the equation is modified to kt = ut + ki+i4>, where Ui is defined as 

P P 

an integer such that Ui = Xi (mod p) and ——< Ui < —. 



1 



This is the straightforward method. 
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Table 1. Computational Times for Binary Method 





EC Doubling 


EC Addition 


Total 


Binary 


(maximum) 


n 


n 


2n 




(avarage) 


n 


n 

2 


3n 

T 


Signed Binary 


(maximum) 


n 


n 

2 


3n 

~2 




(avarage) 


n 


3n 

Z 


lln 

~8~ 



^ ^ • 

h +1 = Xi+i + yi+i4>, Xi+i = Vi+ t— and y^+i = by using 

P P 

— t4> + p = 0. Iterating this operation, k is expanded to 

i 

k = '^Ui(j)\ where ~^<Ui<^. (5) 

i=0 

I is an integer and is discussed in Sect. 0 

In the case of A: = 15, p = 2, the elliptic curve is E/F 2 y'^ + xy = + 1 

(trace t is 1 as an example), 15 = —1 + cj)'^ — . Accordingly, 15P is calculated 

by two elliptic curve additions, which is much faster than the signed or unsigned 
binary method. 

Koblitz^j presented the scalar multiplication algorithm for F 2 in -rational 
points over P/F 2 . Solinas0| improved it. In those papers Ui G {—1,0, 1}. Thus 
it needs at most I elliptic curve additions and computation of the Frobenius map 
to calculate kP. 

On the other hand, we must limit the elliptic curve defined over E/Fp for 
Fpm-rational points to utilize a base-0 scalar multiplication method. Since there 
is only an exponential time attack such as pm, it is not obstacle to use the 
elliptic curves for elliptic curve cryptosystems. 

2.5 Generalized Base-0 Scalar Multiplication 

We consider the fact that the cost of (jfP can be reduced very much for OFF 
as shown at Section 12., SL Though traditional base-0 scalar multiplication has 
been applied to finite fields with small characteristics, it can be applied to more 
general cases such as OFF. 

This, however, makes each coefficient Ui in Fquation OSj) large, because 0 < 
|ui| < p/2. When Ui is large, the delay time to calculate Ui0*P from 0*P becomes 
a bottle neck. Thus, the traditional base-0 method is not always faster than the 
binary method. This is one reason why the base-0 scalar multiplication method 
was applied only to fields with small characteristics. 
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To solve this problem, we introduce the idea of the table reference scalar 
multiplication method. After each value of (jfP is stored in a memory table, we 
should perform addition on the elliptic curve. There are two different ways to 
look up the table and add. 

One method uses only addition. If 15P + 13(/)^P + 2<j)^P is to be calculated, 
X ^ P and Y <— O then V ^ y + A is computed twice. X ^ X + (j)^P then 
Y ^ y + A is computed eleven times. A ^ X + (ji^P then Y ^ y + A is 
computed twice. Generally speaking, when you compute 



i 

i=0 



( 6 ) 



P P 

where Ui < —, the elliptic curve addition should be computed roughly as 

P 

Z + -. This idea of the original table reference method was created for the non- 



elliptic curve scheme by Brickell et al. 0. By introducing the base-^ method, this 
method can be enhanced to handle any primitive. Thus, our method supports 
not only signature generation by EC-DSA but also verification which involves 
multiplication of unpredictable elliptic curve points. 



The second method uses both doubling and addition. If 15P + IScjy^P + 
2^^P = (1I1I)2P + (1I0I)2</<2P + (OO1O)20^P is calculated, X ^ P + 4^^P is 
computed then doubled. A^A + P + i^^Pis computed then doubled. A ^ 
X + P + (j)^P is computed then doubled. Finally, A <— A + P + (^^Pis computed. 

i 



In general, when you compute k = Ui(j)' 



where the elliptic 



i=0 

curve addition and doubling should be computed roughly (I + l)(|'log 2 p] — l)/2 
and [log 2 p] — 2 times, respectively. If the reference table contains not only P 
and but also their combinations such as P + (p^P., P + 4>^P and so on, the 
addition and doubling times could be reduced by at least |'log 2 p] — 2. 



We found that there are some trade offs. Which of the two methods is better? 
How many values should the memory table store? It depends on the case. 



3 Procedure 

3.1 Base-^ Scalar Multiplication 

In this section, we describe the base-i^ scalar multiplication method. The follow- 
ing procedure computes Q = kP for inputs P and k, where 0 < k < Nm and P 
is an Fpm-rational point and is not an Fp-rational point on E. We use wh{x) to 
represent the Hamming weight of x expressed in signed binary digit, Nm denotes 
the number of F^m-points on E, and t denotes a trace of E. 
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[Base-(/) Scalar Multiplication Procedure] 

Input: k,P,E,t,p 
Output: Q (= kP) 

Step 1: Base-(/) Expansion of k 

Step 1-1: i ^ 0, x -t— k, y 0, uj -t— 0 for Vj. 

Step 1-2: if (a: = 0 and y = 0) then go to Step 2:. 

Step 1-3: Ui X mod p. 

Step 1-4: u <— (a; — Ui)/p, x ^ tv + y, y < i <— i -I- 1. 

Step 1-5: go to Step 1-2:. 

Step 2: Optimization of Base-0 Expansion 

Step 2-1: di ^ Ui + Ui+m + Ui+ 2 m for 0 < i < to. 

Step 2-2: Ci ^ dt — z for 0 < z < to — 1, 

where z is an integer that minimizes E wh{c^). 

Step 3: Table Reference Multiplication 
Step 3-1: Pi <— (j/P for 0 < z < TO. 

Step 3-2: Q ^ O, j ^ [log 2 p] -b 1. 

Step 3-3: Q ^ 2Q. 

Step 3-4: for (z = 0 to to — 1) { 

if (cij = 1) then Q ^ Q + Pi. 

} 

Step 3-5: j ^ j — 1- 

Step 3-6: if (j > 0) then go to Step 3-3. 



First, the procedure finds Ui such that k — 2^Ui4)^ in Step 1 by using 

i=0 

0^ — t(j) + p = 0. This part of the procedure is nearly equal to the procedure in 
0 and integer I is nearly equal to 2m + 3. This is discussed in Sect. 13.21 

Next, it reduces the series of base-0 expansion{uo, . . . , zzi}into{co, . . . , Cm-i} 
in Step 2. Detailed explanation is given in Sect. 13.31 

Finally, it calculates kP using {cq,... ,Cm-i} in Step 3. Step 3 requires 



[log 2 p] elliptic curve doublings and 



wriog2 p1 



elliptic curve additions at most. 



On the other hand, we can use the following Step 3' in stead of Step 3 to 
compute kP using the Frobenius map. Step 3' requires p -b to -|- 2 elliptic curve 
additions at most. We can choose the method which has lower computation cost. 



Another Table Reference Multiplication Procedure] 
Step 3': Table Reference Multiplication 

Step 3'-l: Q ^ O, S ^ O, d ^ max{ci}. 

Step 3'-2: for (z = 0 to to — 1) { 
if d = Ci then S = S + <j)’’P. 

} 

Step 3'-3: Q ^ Q + S, d ^ d — 1. 

Step 3'-4: if d yb 0 then go to Step 3'-2. 
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3.2 Loop Number of Step 1 

In this section, we discuss I in Step 1. 

Theorem 1. (7| Let p > 4 and let k G Z[(/>]. If we set I = |"21ogp ||fc||] + 3, then 
there exist rational integers < Ui < pj2^ 0 < i < I, such that 

i 

k = (7) 

i=0 

where ||fc|| := and k is the complex conjugate of k and [x] is the minimum 
integer greater than or equal to x. 

Since the proof of Theorem Q] in [Z] does not assume p to be a small power 
of two, the loop in Step 1 ends at most in j < |"21ogp ||fc||] + 3 for general p. 

3.3 Optimization of Base-^ Expansion 

This section explains the background of the procedure in Step 2. 

Step 2-1 If k is randomly chosen from 0 < k < Nm, we can assume k ~ 
p™ and I = [21ogpfc] -|- 3 ~ 2m + 3. However, the series of base-(/) expansion 
{mq, ■ ■ ■ , U 2 m+ 3 } can be easily reduced to {do, . . . , dm-i} by using the following 
equation; 

= 1 in End^;. (8) 

This is because = x for \/x G Fpm. Thus, 

l21ogpfc]+3 

^ ^ Ui(j) — ^ ^ (^Ui Ui-\-2m)(f 

i—0 i—0 

m — 1 

i=0 

Step 2-2 We can accelerate Step 3 by decreasing the density of ‘I’s in the bit 
expression of di by using Equation (0. 

m — 1 

E = 0 (9) 

i=0 

Since P is not an Fp-point over E, (fP ^ P. Equation (0 is derived from 
Equation (0 and yf 1. 

The theoretical required time for scalar multiplication for the case of m = 7 
and A = |"log 2 p] is shown in Table El “Type I expansion” denotes the proposed 
procedure using di instead of Ci at Step 3 and “Type II expansion” denotes the 
full proposed procedure. 
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Table 2. Required Time for Scalar Multiplication {m = 7) 



Algorithm 


EC Addition 


EC Doubling 


Total 


binary 




7A 




(~ 10.5A) 


signed binary 


ooj 


lA 




(~ 9.6A) 


Type I expansion 




A 




(~ 4.5A) 


Type II expansion 




A 




(~ 3.4A) 



4 Elliptic Curve Generation 

In this section, we discuss how to generate elliptic curves for the base-0 expansion 
method. 

Let p be a prime, where p > 3 and let E be the elliptic curve 

Y'^ = X^ + aX + b (10) 

over Fp{a,b G Fp). We should define elliptic curve E over Fp to use base-0 
expansion. In such a case, we can easily compute Nm by using Theorem 0 

Theorem 2 (Weil Conjecture jHl pp.132-137]). Suppose E is an elliptic 
curve over Fp and t := p + 1 — Ni. The number of Fpm -points on E is 

N„,=p^ + l-{a^ + (3^), 

where a, (3 are the roots of x'^ — tx p. 

From the view point of cryptography, if is a “good” elliptic curve if has 
a large prime factor. Since Nn — p" and Nn divides Nm if n divides m, we have 
the best chance of getting a large prime factor of Nm when to is a prime. We 
can generate elliptic curve E /Fp with Nm that has a large prime factor by using 
the following procedure. 

Elliptic Curve Generation Procedure for Base-0 Expansion] 

Input: p, TO 
Output: E/Fp,Nm 

Step 1: Generate EjFp randomly and find its order = p -|- 1 — t. 

Step 2: Find Nm using the Weil conjecture. 

Step 3: If Nm doesn’t have a large enough prime factor, go to Step 1. 
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For example, let p = 2^^ — 1, m = 7 and M := — — {Ni ~ — 2^®®). 

-^1 

We can find some parameters such that M becomes prime. One example is 
a = -3, 6 = -212, [log2 M] = 186. 



5 Further Speed Up Techniques 



5.1 AfRne Coordinates 

Points on an elliptic curve can be represented by some different coordinate sys- 
tems: for example, affine coordinates or Jacobian coordinates, as shown in PH 
and the Appendix. The number of operations on a finite field differ with the 
system. If you choose Jacobian coordinates, no inversion on the finite field is 
needed, but “elliptic curve addition” needs ten or more multiplications on the 
field. On the other hand, if you choose affine coordinates, “elliptic curve addi- 
tion” needs one inversion and two multiplications. Thus, if inversion is faster 
than 8 multiplications, affine coordinates are faster than Jacobian coordinates. 
The implementation in Q used the Jacobian coordinates because no efficient in- 
version algorithm for OFF has been proposed. Therefore, if we have a fast enough 
inversion algorithm, affine coordinates can accelerate elliptic curve operation. 

In this section, we present a fast inversion algorithm for OEF. We consider 
the polynomial basis representation of a field element a G Fpm : 

a, = ^ Old; -|- Oq 



where G Fp, a G Fpm is a primitive root of — uj. 
The inversion c of a is defined as 

ac = + 1- aid -I- ao)(cm-id"*“^ -|- 

Since d is a root of a;™ — w. 



-I- cid -I- Co) = 1. 



ac = [ [ ^ (auCm-i-u) ] ( ( X! 



V0<ii<m — 1 



/ / 2 \ \0<n<t 



\t+l<n<m— 1 \ / / 

We introduce Ci from Eauation lfTT|) . 



/ Co \ 




/ ao am-l^ CLm-20J * ’ ’ a2t0 aiUJ \ 


c — 1 




ai ao am-iOJ a2u; 




= 


02^1 flO ’ ■ • 


Cm — 2 




: ao am-i<-o 


\ Cm — 1 / 


1 — 2 ^0 y 



-1 



0 



0 

voy 



( 12 ) 
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Table 3. Calculation Cost for Each Coordinate System over OEF(to = 3) 



Coordinates 


EC Doubling 


EC Addition 


Affine 


57M 


51M 


Chudnovsky Jacobian 


81M 


117M 


Modified Jacobian 


72M 


153M 



For example, if m = 3 then 



= (ag — 3agaia2a; + a^o; + ^ 



Og — aia20J \ 
— CLoGi 



a‘ 



- ag02 / 



Inverse Procedure for OEF, to = 3] 

Input: [og,ai,a 2 ] (= a) 

Output: [cg,ci,C 2 ] (=c=a~^) 

Step 1: Compute 6g ^ Og, bi ^ of, 62 ^ 

eg ^ OgOi, ei ^ 01020 ;, 62 ^ Og 02 , 

63 ^ og 6 g, 64 ^ aibiLO, 65 ^ 02(62 - 3eg)o;. 

Step 2: Compute d ^ (eg + 64 + 65)“^. 

Step 3: Compute cg <— d( 6 g — ei), ci ^ d{b 2 — eg), C 2 <— d( 6 i — 62 ) 



Since we can normally use 0 ; as a small integer such as 2 or 3, we ignore mul- 
tiplication by oj and 3 to count computing cost. Using this procedure, inversion 
over Fp3 needs 12 multiplications and one inversion over Fp. 

Let M denote the cost of multiplication over Fp and let the cost of inversion 
over Fp be 15M. Then, the costs of multiplication, squaring, and inversion over 
Fpm are 9M, 6M, and 27M, respectively. In this case, the elliptic curve operation 
costs in each coodinate are as shown in Table 01 The operations over affine 
coordinates are about twice as fast as those over Jacobian coordinates. 

Though the proposed inversion algorithm needs O(to^) computing cost, it is 
efficient enough for small to. 



6 Total Efficiency 

We show the total efficiency of the base-</) scalar multiplication method. 

Table i shows the current results of our elliptic curve implementation. We 
implemented our algorithms on a 500 MHz DEC Alpha workstation which has 
a 64-bit architecture and a 400 MHz Intel Pentium II PC which has a 32-bit 
architecture. 

We executed the elliptic curve generation algorithm shown in the procedure 
described in Sect. 0for the word sizes of 16 and 32. 
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Table 4. Scalar Multiplication Speed 



Hase-(j} Expansion Method 



Platform 


Order Size of 
(bit) Base Field 


EC- Add EC-Double 
(/isec) 


Scalar Mult, 
(msec) 




P II 400 
P II 400 


186 2^1 - 1 

186 2®i - 1 


19.7 13.2 

19.7 13.2 


1.95 

3.89 


Base-(^ 
Signed Binary 


P II 400 
P II 400 


156 2i^ - 1 

156 2i® - 1 


32.1 22.3 

32.1 22.3 


2.66 

5.50 


Base-(() 
Signed Binary 



“P II 400” denotes 400 MHz Pentium II PC. 



Affine Coordinates 



Platform 


Order Size of 
(bit) Base Field 


EC- Add EC-Double 
(/isec) 


Scalar Mult, 
(msec) 




Alpha 500 
Alpha 500 


183 2“^ - 1 

183 2®! - 1 


4.64 5.25 

7.8 6.24 


0.994 

1.58 


Affine 

Jacobian(BaileyQ) 



“Alpha 500” denotes 500 MHz DEC Alpha workstation. 



Speed in Previous Works 



Platform 


Order Size of 
(bit) Base Field 


EC- Add EC-Double 
(/isec) 


Scalar Mult, 
(msec) 




Spared 


180 


2^ 


*1 


*1 


59.2 


Muller Q 


P 133 


177 


2 


306 


309 


72 


De WinQ21 


Alpha 500 


160 


2®^ - 5 


20 


16.2 


3.62 


Bailey n 


Alpha 500 


160 


2^® - 165 


207 


166 


37.1 


Bailey P 



“Spared” denotes SparcStationd. 

“P 133” denotes 133 MHz Pentium PC. 



“No information in Q. 



The parameters used in the implementation are as follows: 

[64-bit OEF] 

p = 261 - 1, ^ = 3^ = a;3 _ 37^ 

E : — ax — a, 

where a = 1798615821903599087q;2 + 257902442738591772a 
-h 1373279171338599842, 
a is a root of f{x), 

[32-bit OEF] 

p = 2^1 — 1 m = 7, f(x) = x^ — 3, 

E:y^ = x^-3x-2U 

[16-bit OEF] 

p = 2i6 — 1, m= 13, f(x) = a;i6 — 2, 

E:y^ = x^-3x + 30, 

where f{x) is a minimal polynomial. 
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We implemented 16-bit and 32-bit cases on the Pentium II (“P II” in Table 
21 to examine the effectiveness of the hase-cf> scalar multiplication method. We 
implemented the 64-bit case on the DEC Alpha ( “Alpha” in Table 2J to examine 
effectiveness of affine coordinates. “Speed in Previous Works” in Table2|is shown 
as reference. 

The results clarify that the proposed base-(/) expansion method speeds up 
scalar multiplication by a factor of two over the traditional signed binary method 
in the 16-bit and 32-bit OEF cases. In the case of 64-bit OEF, the new inversion 
algorithm is about 60% faster for scalar multiplication. 

7 Conclusions 

This paper proposed a new algorithm that computes the Frobenius map and 
inversion over OEF-type finite field F^m . We need only m— 1 multiplications over 
Fp to compute the Frobenius map. The inversion algorithm needs one inversion 
and 0{m^) multiplications over Fp, and it is quite efficient for small m. 

Consequently, we expanded the base-(/> scalar multiplication method to suit 
finite fields with higher characteristic (such as OEF) by introducing the table 
reference method. When the proposed algorithm is applied to OEF-type elliptic 
curves, the algorithm is about twice as fast as some conventional OEF-base 
algorithms. 

We proved the total efficiency of the proposed algorithm by implementation. 
In the case of 16-bit and 32-bit OEF, the base-i^ expansion method is twice as 
fast as traditional techniques. In the case of 64-bit OEF, the calculation time is 
1.6 times shorter due to use of the new inversion algorithm. 
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Appendix: Coordinates 

Let 

E ■. + ax + b {a,b G Fp, 4a^ + 27b^ ^ 0) 

be the equation of an elliptic curve E over Fp. 

For Jacobian coordinates, with x = X/Z"^ and y = YjZ^, a point on ellip- 
tic curve P is represented as P = (X,Y,Z). In order to make addition faster, 
the Chudnovsky Jacobian coordinates represents a Jacobian point as the quin- 
tuple {X,Y, Z, Z^ , Z^). On the other hand, in order to make doubling faster, 
the modified Jacobian coordinates represents a Jacobian point as the quadruple 
(X,Y,Z,aZ^). 

The number of operations needed to compute elliptic curve doubling and 
addition is shown in Table El 



Table 5. Operations for Each Coordinate 



Coordinates 


Elliptic Curve Doubling 


Elliptic Curve Addition 


Affine 

Chudnovsky Jacobian 
Modified Jacobian 


2 M -b 2 S -b 1 I 
5 M -b 6 S 
4 M -b 4 S 


2 M -b 1 S + 1 I 
11 M -b 3 S 
13 M -b 6 S 



M: Multiplication, S: Squaring, I: Inversion. 
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Abstract. This paper addresses the discrete logarithm problem in el- 
liptic curve cryptography. In particular, we generalize the Menezes, Oka- 
moto, and Vanstone (MOV) reduction so that it can be applied to some 
non-supersingular elliptic curves (ECs); decrypt Frey and Riick (FR)’s 
idea to describe the detail of the FR reduction and to implement it for 
actual elliptic curves with finite fields on a practical scale; and based on 
them compare the (extended) MOV and FR reductions from an algo- 
rithmic point of view. (This paper has primarily an expository role.) 



1 Introduction 

This paper addresses the discrete logarithm problem (DLP) in elliptic curve (EC) 
cryptography. ECs have been intensively studied in algebraic geometry and num- 
ber theory. In recent years, they have been used in devising efficient algorithms 
for factoring integers HD and primality proving |2j, and in the construction of 
public key cryptosystems USE!. In particular, EC cryptography whose security is 
based on the intractability of the DLP in ECs (ECDLP) has drawn considerable 
public attention in recent years. 

Let E/Fq be an EC given by the Weierstrass equation: 

+ a\xy + a^y = + a2X^ + a^x + ai, U 2 , 03, 04, ae e F, , (1) 

where is a finite field with q = p"* elements (p: prime, and m > 1). The 
ECDLP in E/¥q is defined to find G < I < n — 1 such that R = IP:= 
P + P + ■ ■ ■ + P given P G E{¥q ) and R G< P >, where n is the order of the 

i 

finite cyclic group < P >. Through the paper, we denote for E(IK) := {{x,y) G 
K X IK|(x,p) satisfies Eg.lP)} U {O}, the addition is defined in such a way that 
E := E{K) makes an abelian group, where IK is the algebraic closure of IK, and 
O is the identity element of the group m- 

The main reason why EC cryptosystems are getting more accepted compared 
to the conventional schemes is that it is believed that the ECDLP in E/¥q 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 19n- T?m 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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generally requires an exponential time in logg to solve it (V. Miller and J. 
Silverman and J. Suzuki EH]) while the DLP in can be solved at most within 
a subexponential time. 

In other words, if EC cryptosystems provide equivalent security as the ex- 
isting schemes, then the key lengths will be shorter. Having short key lengths 
means smaller bandwidth and memory requirements and can be a crucial factor 
in some applications, for example the design of smart card systems. 

However, it has been reported that for specific cases the ECDLP is no more 
difficult than the DLP by considering injective homomorphisms that map in a 
polynomial time from < P > to or , where Ft is a suitable extension field 
of Fq. (For attacks against hyper-EC cryptography, L. Adleman, J. DeMarrais, 
and M. Huang gave a heuristic argument that under certain assumptions, the 
DLP in the group of rational points on the Jacobian of a genus g hyper-EC over 
Fp is solved in a subexponential time for sufficiently large g and odd p with 
logp < (2g + 1)° ®®. For the detail, see p.) 

For the reduction to F^, recently only the case of anomalous ECs, i.e. the 
case of q = p and =f^E(¥p) = p, and its simple generalization have been solved 

E32HSI. 

On the other hand, for the reduction to Pk , A. Menezes, T. Okamoto, and 
S. Vanstone H3I proposed the so-called MOV reduction that makes it possible to 
solve the case of supersingular ECs, i.e. the case ofp\t with t := q+1 — #E(Fg). 
In other words, for supersingular ECs the ECDLP in E/¥q is reduced to the DLP 
in Ffc for some k that is solved in a subexponential time. The DLP obtained in 
that way is defined in F^*, , so that the input size is multiplied by k. In actual, 
the value of k is the minimum positive integer such that E[n\ C E{¥qk ), where 
E[n] := {T G E\nT — O}. Menezes, Okamoto, and Vanstone found in [Ej that 
if E /Vq is supersingular, such a A: is at most six, and constructed a probabilistic 
polynomial time algorithm to find Q G E[n] such that the Weil pairing en{P, Q) 
E3 has order n in F*. . 

Concerning the reduction to F^^ , after the MOV reduction appeared, G. Frey 
and H. Riick P proposed another injective homomorphism based on the Tate 
pairing (FR reduction). The FR reduction is applied when n\q — 1. Also, by 
extending the definition field from F^ to F,jib , the reduction is possible even for 
the case of n|g^ — 1. In this case, k is the minimum positive integer such that 
n|g^ — I. Then, as in the MOV reduction, the input size of the DLP is multiplied 
by k. But the Ref. P dealt with only the conceptual aspect. 

At this point, we should be aware that there is a gap between the conditions 
to which the MOV and FR reductions are applied. In fact, according to R. Schoof 
H3, if p /fn, E[n] C E{¥qk ) is equivalent to n|g^ — 1 and other two conditions. 

In this paper, we generalize the MOV reduction so that it can be applied to 
some non-supersingular ECs satisfying E[n] C E{¥qk) for some k (Section 2). 
This extension is never straightforward since no algorithm has been proposed 
to efficiently find for non-supersingular ECs some Q G E[n] such that en{P,Q) 
is a primitive root of unity. We construct a polynomial time algorithm to 
realize it although those ECs do not cover all the ones satisfying E[n] C E{¥qk ). 
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Moreover, we prove that it is possible to immediately find such a, Q G EM for 
the MOV reduction unless C 2 n\ci when we express the group structure a^j 

if(Fq) = 0 Z„ 2 , E[n]CE(¥gk), and ) = Zcim 0 Zcam 

with 712 |ni and C 2 |ci (See 

On the other hand, quite recently, R. Balasubramanian and N. Koblitz jSj 
showed that if n is a prime, n /g, and n j(q—l, then E[n\ C EiW^k ) is equivalent 
to n|g^ — 1. 

In this sense, if n is a prime, the following are the cases that the (extended) 
MOV reduction cannot deal with but the FR can: 

1. n\q — 1; and 

2. E[n] C E(¥gk), C 2 n\ci. 

Next, we describe the detail algorithm for the FR reduction, and analyze the 
computational property (in Section 3). We actually implement the FR reduction 
for many cases. In addition, we compare it with the extended MOV reduction 
except for those two cases (in Section 4). Consequently, we should suggest that 
the FR is better than the MOV in any situation. 

Through the paper, for brevity, we assume 

1. the order n of < P > is a prime. 

If the given n = YiiPT prime- the problem is reduced to finding for each 

i, I mod Pi such that R = IP. Then, we can obtain the values of I mod p®* for 
all i using the Pohlig-Hellman’s algorithm ca to determine I mod n using the 
Chinese Remainder Theorem. Further, without loss of generality, we can further 
assume the following two conditions: 

2. p J(t (non-supersingularity), and 

3. p /n (non-anomalousness) i.e. p ^ n 

because for those cases, the ECDLP has been already solved in subexponential 
and polynomial times, respectively. 

This paper has primarily an expository role. 



2 Extending the MOV Reduction 

The framework of the MOV reduction can be described as follows m, page 71 
in d)- The idea is to extend the definition field from Fg to F^fc for some k so 
that E[n] C E(¥gk). 

Algorithm 1 

Input: an element P G E{¥g) of order n, and R G< P >. 

Output: an integer I such that R = IP 



^ Through the paper, Z„ denotes Z/nZ. 
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Step 1 : determine the smallest integer k such that E[n] C E{¥,jk ). 

Step 2: find Q S E[n] such that a = e„(P, Q) has order n. 

Step 3: compute f3 = en{R, Q)- 

Step 4: compute I, the discrete logarithm of (3 to the base a in F**, . 

Let pLn be the group of roots of unity, e„: E[n] xE[n] the Weil pair- 

ing 1221, and Q G E\n] such that en{P, Q) is a primitive root of unity. Then, 
from the property of the Weil pairing, /i„ C ]F*j, holds. Thus, the group isomor- 
phism < P >— > Hn defined by S' en{S,Q) gives an injective homomorphism 

< p r, |T^. 

It is known that for any E/Vq there is a pair (ni,n 2 ) such that P(Fg) = 
© ^ri 2 with ri 2 |ni fl]. Ref. proved that if E/¥q is supersingular, 

1. fc is at most 6, and 

2. if put E{¥qk) = Zcim © for appropriate ci and C 2 with C 2 |ci, then 

Cl = C2. 

In general, the values of ci and C 2 can be obtained by the following: 

1. Count ffE{¥q), using School’s method |2I3 or its variant m- 

2. For each k, 

(a) compute f=E{¥qk) from f=E{¥q), using the Weil Theorem 

(b) factor ffE{¥qk); and 

(c) find n[ and n '2 such that P(Fgfc) = 0 using Miller’s algorithm 

(ci = n'ljni and C 2 = nf^lnf). 

However, it would be time-consuming to follow these steps: the first two steps 
take polynomial times, the third takes a subexponential time, and the last takes 
a probabilistic polynomial time, provided k is small enough compared to q. 
However, in Ref. US], Algorithm 1’, which will be mentioned later, is constructed 
concretely based on the following facts concerning supersingular ECs: 

1. there are six classes of supersingular ECs; 

2. the values of k and c (= Ci = C 2 ) are uniquely determined by the class; and 

3. the class is uniquely determined by the value of t = g + 1 — ffE{¥q), where 
t is the trace of g‘^-power Frobenius endomorphism. 

That is, for supersingular ECs, the following algorithm was proposed in m m 

Algorithm 1' 

Input: an element P G E{¥g) of order n, and R G< P >. 

Output: an integer I such that R = IP 

Step 1’: determine the smallest integer k such that E[n] C E{¥qk). 

Step 2’: pick Q' G E{¥qk) randomly, and compute Q = [cni/n]Q'. 

Step 3’: compute a = Cn{P, Q) and f3 = e„(R, Q). 

Step 4’: compute V by solving the discrete logarithm of f3 to the base a in ¥^^, . 
Step 5’: check if VP = R holds. If it does, set I — V . Otherwise, go to Step 2’. 
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It can be easily seen that Algorithms 1 and 1' are essentially the same although 
they take different step. At this point, we pay attention to how to determine an 
element Q G E[n]. The correct I is obtained with probability 1 — 1/n {(j){n)/n if 
n is not a prime) after Steps l’-5’ of Algorithm 1' . 

Since n is large, the expected number of trials is close to one. 

Since we consider non-supersingular ECs, we cannot use the above three 
facts. Let (e,r) be such that ci/c 2 = n®r with e > 0 and {n,r) = 1. We propose 
the details of Step 2 in Algorithm 1 for non-supersingular ECs as follows: 

Step 2-1: pick Q' G E(Fgk ) randomly. 

Step 2-2: set Q = \c\n\lrE^^\Q' G C E(Fqib). 

Step 2-3: if Q ^ E[n], i.e. if nQ ^ O, go to Step 2-1. 

Step 2-4: compute a = en{P, Q)- If a = 1, go to Step 2-1. 

We should note here that the above modification provides a generalization 
of the MOV reduction: previously, the MOV can be applied if the EC is super- 
singular, i.e. e = 0 and r = 1. If e = 0, Step 2-3 can be omitted. The following 
theorem suggests from a computational point of view that the extension of the 
MOV reduction in this paper is useful if and only if e = 0. 

Theorem 1 The probability that Q G E[n‘^~^^] C E(¥gk ) obtained in Step 2-2 
satisfies both Q G E[n] and en{P, Q) is —(1 ). 

Proof: Consider the map: 

/ : E{¥^k ) ^ E{¥^k ) , f{Q) = [cim/n^+i]Q . 

Then, since E{¥qk ) = Zcim © ^C 2 ni , the image of / is isomorphic to Z„e+i © 

Let J7 be the set of Q such that Q G E[n] and e„(P, Q) ^1. From the property of 
the Weil pairing en{P, Q) = 1 with P ^ O if and only if Q G< P > . Thus, 
fff2 = — n. If Q' G E{¥^k ) is randomly selected in Step 2-1, the probability 

of success in Step 2-4 is obtained as: 

C\Tl\ X C^Tix / 2 \ 

ffKerf X #C ^ n^+i x n ~ ^ ^ _ 1 

ffE{¥qk) ciUi X C 2 ni n® n 

□ 

Corollary 1 In Steps 2-1 through 2-4 of Algorithm 1, the expected number of 
iterations is j(n — 1) « n®. 

Proof: From Kac’s lemma |H|, the expected time is the reciprocal number of the 
probability (1 — l/n)/n® that has been obtained in Theorem 1, i.e. 
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Recall n = 0{q), which means Step 2-3 requires an exponential time on 
average if e > 1. 

If we have C 2 n\c\ during the field extension when we apply the MOV reduc- 
tion, we must give up the reduction process. Such a probability may be small, 
and we might in the future come up with an alternative method that can deal 
with even such a case. However, we should keep in mind that there is much 
additional computation to realize the MOV reduction for nonsupersingular ECs: 
counting ^E(Fq), factoring ^E{¥qk), finding the pair (ci, C 2 ) for the group 
structure E{Fgk) (more precisely, the value of Cini/n®+^ in Step 2-2), etc., even 
when E[n] C E{¥gk) and C 2 n /ci. 

3 Implementing the FR Reduction 

In this section, assuming IK := for some k. We consider the realization of the 
FR reduction. 

In the original paper by Frey and Riick [7], only the conceptual aspect was 
stated, and it seems that no realization on the FR reduction has been published 
because the FR reduction appears to be less familiar to the cryptography com- 
munity than the MOV reduction. We first describe an algorithm for realizing 
Frey and Ruck’s idea, where we assume that k is the minimum integer such that 
n\q*^ - 1. 

Algorithm 2 

Input: an dement P S F(Fg) of order n, and R G< P > . 

Output: an integer I such that R = IP. 

Step 1 : determine the smallest integer k such that n\q^ — 1, and set IK := F^fc . 
Step 2: pick S,T G F(IK) randomly. 

Step 3: compute the element f G IK(F)* such that div{f) = n{(P) — (O)), and 

compute a = f{S)/f{T) 

1 

Step 4: compute 7 = a~^ . 7/7 = 1, then go to Step 2. 

Step 5: compute the element g G IK(if)* such that div{g) = n({R) — (O)), and 

— 1 

compute (3 = g{S) / g(T), and 5 = . 

Step 6 : solve the DLP S = m IK* , i.e. the logarithm of 6 to the base 7 m IK* . 

3.1 Prey and Ruck’s Idea 

Let Div{E) be the divisor group of E and supp{D) := {P G E(K) : np 0} for 
D = np{P) G Div{E). Then, since E is defined over IK, the Galois group 
pge 

Gg/K Eicts on Div{E) as 7?'’’ = ^ np{P'^) for D = ^ np{P) G Div{E) 

pge pge 

and (7 G Ggyjj. We say that D G Div{E) is defined over IK if D'^ = D for all 
(T G Gg/jj, and denote by Dwk{E) the subset of Div{E) whose elements are 
defined over IK 
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For / e K{E)*, the divisor div{f) is defined by div{f) := 
where ordp{f) is the multiplicity of zeros (if positive) or poles (if negative) at 
P G E with respect to f G K{E)* , and we refer to such a divisor as the principal 
divisor. 

Let Div^{E) := {D G Div{E)\deg{D) = 0}, where deg{D) := 'Y^np, and 
Prin{E) the subset of Div^(E) whose elements are principal divisors. Then, we 
can define the following surjective map: 

Div°{E) Pic°{E) ■= Div°{E)/Prin{E) , D 

and denote D\ ~ D 2 if two divisors Di and D 2 have the same image, i.e. Di = D 2 
in Pic^{E). We further define Pzcj^(if) to be the set of all divisor classes in 
Pic^{E) that have a representative element defined over IK, which is a subgroup 
of Pic^{E). Moreover, Pic^{E)n ■= {£> G Pic'^{E)\nD = 0}. 

It is known that by the isomorphism 

E{K) ^ PicliE) , Q ^ (Q) - (O) , 

we can identify E(K) with Pic^^{E) and denote (Q) — (O) by Q. 

Let A be a divisor such that A G Pic^{E)n and B another divisor ^ ■ a^Qi) G 
Div^{E) such that supp{A) n supp{B) = (f>. Since nA ~ 0, there exists an ele- 
ment Ja in the function field K{E) such that div{fA) = nA |^, so that we can 
put /a{B) := rii/A(Qi)“L 

Then, Frey and Ruck |Z| proved the following: 

Proposition 1 m) If n\q — 1, {A,B}o n:= fA{B) defines a nondegenerate 
bilinear pairing: 

{,}o.„ : S(IK)[n] X E{K)/nE{K) K*/(IK*)" 
where if(IK)[n] := E[n] n if (IK). 

Then the mapping IK* ^ IK* defined by a 1 — > gives IK* /(IK*)” = /i„ C 

IK* , where pn is the group of roots of unity. From the nondegeneracy of 

- - 

the pairing {,}o.n, there exists Q G E(K)/nE(K) such that {P,Q}qA is a 

primitive root of unity. Thus, the group isomorphism < P pn defined 
- - 0*^-1 

by S' I— > {S, Q}g / gives an injective homomorphism < P >— > Fj, . 

The pairing {, }o,n can be said to be a variant of the Tate pairing ESI- 



3.2 Theoretical Analysis 

In 0, the computation of Steps 2-5 is supposed to be within a probabilistic 
polynomial time, now we actually evaluate the computation for each step in 
Algorithm 2. We assume that the usual multiplication algorithms are used, so 
that multiplying two elements of length N takes time 0{N'^). 

For Step 2, we first pick an element a: = o in IK to substitute it to Eq. 
©• Then, we check if the quadratic equation with respect to y has a solution 
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in IK, i.e. if the discriminant is a quadratic residue in IK. The probability of the 
success is approximately a half. If it is successful, it suffices to solve the quadratic 
equation in a usual manner. The computation to solve the quadratic equation 
dominants one to compute quadratic roots in IK. This takes expected running 
time 0 ((log 9 ^)^) = 0{k^{logq)^) (for the detail, see 0 , El)- We do this process 
twice to obtain S', T G if (IK). 

For Step 3, there is a standard procedure to compute the function / G IK(if) 
from a principal divisor div{f) G Prin{E) (see for example pages 63-64 in 1141 h 
Basically, this can be done by the following: 



3. Add the divisors (P/) — (O) -h div{fi), for all i. 

Then, we can add two divisors as follows: if two divisor D, D' are expressed by 
D={P)~ (O) + div{f) , P' = (P') - (O) + divif) 
with P,P' € E and /, f' G IK(P)*, then 

D + D' = {P + P')~ (O) + diviff'g) 

where g = l/v with I and v are the lines through P and P' and through P + P' 
and O (in particular, P' = — P implies -y = 1). We can obtain the value of a = 
f{S)/f{T) by substituting S, T to the aforementioned /,/',<? and multiplying 
them. Hence, Step 3 takes ©((logg^)^) x O(logn) = 0{k'^ {log q)^). 

For Step 4, the computation of 7 = takes 0(log( ^ ~^ ))xO((log q^Y) = 

0(fc^(log q)^). Moreover, we should evaluate the probability of going back to Step 
2 so that we can measure how long it takes to compute the whole steps. The 
crucial point here is that we should efficiently find Q G Pzc{g(P)/nPjc[g(P) such 
that {P, Q}o,n can be a generator of IK* /(IK* )". We prove the following theorem. 

Theorem 2 Let k he the smallest positive integer such that n\q^ — l(in this case, 
IK = ). Then the prohahility of going hack from Step 4 to Step 2 is 1/n. 

Proof: Note that P(IK) = 0 Z„ 2 , ri 2 |ni, and E[n] = Z„ 0 Z„. Thus, 



1. Write div{f) = Y.iai{{Pi) ~ {O)). 

2. For each i, compute P/ G E and ft G IK(P) such that 



a,{{P,)-{0)) = {Pl)-{0)+dtv{fi) . 




Also, from the nondegeneracy of the FR reduction. 




We consider the two cases separately. 
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1. E[n] % S(IK), i.e. n j{n 2 '- if we pick Q G E(K) randomly, the probability of 

(K*)" is 

#E(K) — #nE(K) _ mn 2 — riin 2 /n _ , 

#E(K) mn2 ” 

2. E[n] C E{K), i.e. n|ri 2 : let T := {Q G E(K)/nE(K) \ {P,Q}o,n ^ (IK*)”}. 
Then, = rp — n. Since the map ip : E{K) E{K)/nE(K) is a module 
homomorphism, the probability of {P,Q}o,n ^ (IK*)” is 

^ #Ker(y>) x #T ^ (nin 2 /n^)(n^ - n) 

#£;(IK) #£;(IK) nm2 

□ 

The probability of going back from Step 4 to Step 2 is almost close to zero 
since we assume that n is considerably large. 

For Step 5, we can estimate the computation as 0(/c^ (log g)^). 

From the above insight, if k can be assumed to be small enough compared 
to q, the expected running time of the FR reduction (from Step 2 to Step 5 in 
Algorithm 2) is 0{{logq)^). 

3.3 Implementation 

We made several experiments including the following four cases. The CPU is Pen- 
tium 75MHz (SONY Quarter L, QL-50NX, the second cache capacity: 256kB) 
In Examples 1 and 2, the FR reduction was applied to ECs with trace 2. 

Example 1 (EC with trace 2, i.e. ^E{¥p) = p — 1 ) Suppose that the curve 
E/¥p : y'^ = + ax + b, the base point P = (xq, yo) € E(Fp), the order n of P, 

and a point R = [l]P = (xi^yi) are given as follows: 
p = 23305425500899 (binary 45-bits, p - 1 = 2 x 3^ x 11378692}, 
a = 13079575536215, b = 951241857177, 
n = 1137869, 

xo = 17662927853004, yo = 1766549410280, 
xi = 2072411881257, yi = 5560421985272. 

Then, we find that I = 709658. 



Example 2 (EC with trace 2, i.e. ffE(¥p) = p — 1 ) Suppose that the curve 
E/¥p : y'^ = x^ ax b, the base point P = (xg, yo) G ^I(IPp); order n of P, 
and a point R = [l]P = (xi,yi) are given as follows: 
p = 93340306032025588917032364977153 

(binary 107 -bits, p - 1 = 2i° x 7^ x 163 x 847321^ x 39869872}, 

a = 71235469403697021051902688366816, b = 47490312935798014034601792244544, 
n = 3986987, 

Xq = 10362409929965041614317835692463, yo = 79529049191468905652172306035573, 

Xi = 15411349585423321468944221089888, J/i = 9416052907883278088782335830033. 
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For Example 2, the reduction process was implemented as follows: 

1) Choose random points S,T £ E(Fp): 

R = (x2,y2), 

X2 = 78183126653622965564444255681546, 1/2 = 78588945135854560800493672181265, 

S = ( 3 : 3 , 2 / 3 ), 

X'i = 58714658884321859706339658012314, J/3 = 29352359294307548304481400079114. 

The time of computation : 177 sec. 

2) Compute the FR pairing: 

Set div{f) := n{{P) - (O)), div{g) := n{{R) - (O)) and D := (S') - (T), 
then 

{^,^}o.n = j^= 28089673702084922579189210362050, 

= 86048548119736537511939909279595, 

{Q,D}o,n = f(|} = 54538105615281807032380914744128, 

= 44179423723975173427344893182175. 

The time of computation: 

computation of /(S): 982 sec, computation of f{T): 996 sec, 
computation of g{S): 971 sec, computation of g{T): 968 sec, 
computation of : 5 sec, computation of : 6 sec. 

3) Solve the DTP: (86048548119736537511939909279595)' 

= 44179423723975173427344893182175 mod p, 

find that I = 764009. 

Next, in Examples 3 and 4, the FR and MOV reductions were applied to 
supersingular-ECs, and experimental data in the both reductions were analyzed 
and compared. 

Example 3 (Supersingular-EC) Suppose that the curve E/¥p: y'^ = x^ + 
ax + b, the base point P = {xo,yo) £ P(Fp), the order n of P, and a point 
R = [l]P = {xi,yi) are given as follows: 

p = 23305425500899 (binary 45-bits, p + 1 = 2^ x 5^ x 29 x 1217 x 6603413;, 
0=1, 5 = 0, 
n = 6603413, 

xo = 18414716422748, yo = 9607997424906, 
xi = 22829488331658, yi = 15463570264423. 

Since E(Fp) = Zp+i, E(Fp 2 ) = Zp+i 0 Zp+i JT^ . the definition field Fp 
is extended to Fp 2 to apply the FR and MOV reductions. Then, we find that 
I = 4500974. 



Example 4 (Supersingular-EC) Suppose that the curve E/¥p: y'^ = x^ -\- 
ax + 5, the base point P = {xo,yo) £ E(Fp), the order n of P, and a point 
R = [l]P = (xi,yi) are given as follows: 
p = 10202130657668293802865103277946942060930683196983 
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(binary 163-bits, p + 1 = 2^ x 3^ x 59 x 113 
X 7084458733777404048453899025845195282548847 ), 
a= 1, b — 0, 

n = 7084458733777404048453899025845195282548847, 

xo = 6361408431660145018472734964469918949727993631117, 

yo = 222428572612516351526464210931959631877226149291, 

= 1791400202383882094094972648523798358242766050148, 
yi = 6662282879825452479945554028296857282243572635001. 

Since E{¥p) = Zp+i 0 Z 2 , i?(Fp 2 ) = Zp+i 0 Zp+i fTW . the definition field 

Fp is extended to Fp 2 to apply the FR and MOV reductions. Set g{a) := 0 1. 

Then Fp 2 = ¥p[a]/ g{a). 



For Example 4, the FR and MOV reductions process were implemented as 
follows: 

(FR reduction): 

1) Choose random points S,T £ E{¥p): 

S = {X2,V2), 

X2 = 5, 

P2 = 2785279641020018517947594885587158401374598752249a 

T = (X3,y3), 

X3 = 3385306113851451711868938545058221186172597937436, 

2/3 = 4986770654406953531745186184758026961048619598992. 

The time of computation : 2245 sec; 

2) Compute the FR pairing: 

Set div{f) := n((P) - (O)), div{g) := n((R) - (O)) and D := (5) - (T), 
then 

{P.D}o,n=j§j 

= 3533166625479465632799073949081211397797456268974a 
04001496656282493042880656119736166996221452751615, 

= 5010350267319872795048848896836646242920060597592a 
06845979045282387430745118341017487648956259367889, 
{R,D}o,n=^ 

= 7618053821224285687383466174720252396501663499416a 
05910267516953452268669659762088222325143176074230, 

= 1354335315181821211682485365859218098755278877378a 
086M41O31838417931745198119632221O287393432354847. 

The time of computation : 

computation of f{S): 39667 sec, computation of f{T): 40023 sec, 
computation of g{S): 39634 sec, computation of g{T): 39646 sec, 

computation of ( : 116 sec, computation of : 136 sec. 

3) Solve the DTP 

(5010350267319872795048848896836646242920060597592a 
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+6845979045282387430745118341017487648956259367889)' 

= 1354335315181821211682485365859218098755278877378a 
+8654410318384179317451981196322210287393432354847 in , 
find I = 3882677356899000378261873813993378. 



(MOV reduction): Let R, S be as in FR reduction. 



1) Compute Q = (x 4 ,y 4 ) = with order n. 

a;4 = 2686073998998561952934233204632904496418536385138, 
2/4 = 7693683030135341554015734905157658084500223439095a. 
The time of computation Q : 1203 sec. 



2 ) 



Compute the Weil pairing: 

Set div{f) = n{{P + S') — (S)), div{g) = n((i? + S) — (S)) and 
div{h) = {Q + T)-{T), 



then 

= 5191780390348421007816254381110295818010622599391a 
+6845979045282387430745118341017487648956259367889, 

p 9(Q+T) h{S) 

^ h(R+S) 

= 8847795342486472591182617912087723962175404319605a 
+8654410318384179317451981196322210287393432354847. 



The time of computation: 



computation of f{Q + T): 39972 sec, computation of /(T): 39720 sec, 
computation of h{S): 39626 sec, computation of h{P + S): 39850 sec, 
computation of g{Q + T): 39992 sec, computation of g{T): 39956 sec, 
computation of h{R+ S): 39862 sec. 

3) Solve the DLP: 

(5191780390348421007816254381110295818010622599391a 

+6845979045282387430745118341017487648956259367889)' 

= 8847795342486472591182617912087723962175404319605a 
+8654410318384179317451981196322210287393432354847 in , 
find I = 3882677356899000378261873813993378. 



When we implement the FR and MOV reductions, two random points are 
needed. The numbers of function values needed to compute the pairings for 
the FR and MOV reductions are four and seven, respectively. In the both re- 
ductions, the computation of function values dominates the whole computation 
time (Table [Q . 

From the implementation data and the above consideration, the computation 
of function values needed to implement the FR and MOV reductions may be a 
heavy load. For each reduction, the computation of pairings actually dominates 
the whole computation time while other steps theoretically take 0((log(/)^) as 
well. We find that the running time of the FR reduction is almost 4/7 times as 
much as that of the MOV reduction. 
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Table 1. The time of computation in Examples 1-4 



Type 


logq 


k 


Running time(sec) 


Example 1 


46 


1 


FR reduction 419 


Example 2 


108 


1 


FR reduction 4105 


Example 3 


46 


2 


FR reduction 999 


MOV reduction 1872 


Example 4 


164 


2 


FR reduction 161467 


MOV reduction 282426 



log q and k are the binary size of the definition field and 
the necessary minimum extension degree, respectively. 



4 Comparing the (Extended) MOV and FR Reductions 

We extended the MOV reduction so that it can be applied to some non-supersin- 
gular ECs, and implemented the FR reduction to understand the whole process. 
Now time to compare the two reductions. 

4.1 On the Extension Degrees 

Bad news for the MOV reduction is the following fact on group structures, which 
is due to R. Schoof HS| 

Proposition 2 ([20j) The following two conditions are equivalent: 

1. E[n] C E{Fgk ); 

E — 4n^ 

2. — 1, n^\ffE{¥gk ), and either (j) £ Z or 0{ ^ ) C Endp^j, (E), 

where (j) and tk denote the q^-Frobenius endomorphism of E/F^k and its trace, 
respectively, and 0 { *'‘ ) and Endr^^, (E) are the order of discriminant 
and the endomorphism ring of E/Fgk in which the isogenies are defined overFgk , 
respectively. 

In this sense, the condition under which the FR can be applied generally includes 
the one under which the MOV can be applied. 

On the contrary, here’s good news for the MOV reduction: the difference is 
not so large between the two conditions for extension degree k under which the 
MOV and FR reductions can be applied. In fact, R. Balasubramanian and N. 
Koblitz jS| proved the following: 

Proposition 3 (0) Suppose n\ffE(Fq), and that n is a prime with p ^ n, 
n fq — 1. Then, 



E[n\ C EiFqk ) 



n\q^ - 1 
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Based on the proof of Proposition 3 |S1 , we show the following result that provides 
us with important information for comparing the extension degrees for the MOV 
and FR reductions although it may be clear from Ref. p|. 

Remark 1 Suppose E[n] 2 and that n is a prime. If n\q — 1 

E[n\ C E(¥gk ) <1=^ k = nj with j > 1 

Proof: We pick the basis {P, T} of E\n] so that the matrix expression on E\n] 
of the g-Frobenius endomorphism (j) is given by 

(og) = (Ji) eGL2(Zn) . 

(Recall g = 1 mod n.) Then, the matrix that expresses is M^k = 

Thus, 

(T) = T ka = 0 mod n k = 0 mod n , 
where we have used a ^ 0 mod n since E[n] % E(¥gk ). Thus, k = nj with j > 1. 

□ 

If E[n] 2 P(IP'g) and u|g — 1, Remark 2 implies that the extension degree k 
is no less than n, which further means that an exponential number of extensions 
are needed in the MOV reduction. Hence, then, we will have to give up applying 
the MOV reduction. 

4.2 On the Efficiency of the Reductions 

In the following, assuming n /g — 1, we compare the efficiency of the MOV and 
FR reductions. 

We exclude the following computation in the pre-processing: 

1. counting jfE{¥q), say by Schoof’s algorithm [21Hbl2j . and 

2. factoring ffE{Fq). 

Moreover, suppose that the DTP that is obtained by the both reductions from 
the ECDLP essentially has the same difficulty. Then, all we should compare is 
the main part of the reductions, i.e. Steps 2-3 in Algorithms 1 and Step 2-5 in 
Algorithm 2. 

However, as considered in Section 2, compared to the FR reduction, addi- 
tional computation is needed to find the group structure for E(¥qk ) for the 
proposed MOV reduction, although it is computed in a subexponential time. 

Moreover, as for application of the MOV reduction, we must give up the 
application if e > 1 in Theorem 1. Besides, we should notice that computing 
the Weil pairing requires almost twice time that the pairing in the FR reduction 
takes. 
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4.3 The Actual Difference of the Conditions Between the Two 
Reductions 

At present, we find that there are still two conditions under which the FR can 
be applied but the MOV cannot: 

1. n\q — 1; and 

2. E[n] C _E(Fqfe), C 2 n|ci. 

Besides, the factorization of is needed to apply Miller’s algorithm. 

(This might be solved immediately because Miller’s algorithm sometimes does 
not require complete factorization.) 

Even if the second condition is cleared in the future, the FR reduction is 
superior to the MOV reduction for the computation of the main part, i.e. for 
computing the pairings, the MOV requires almost twice time that the FR takes. 

In this regard, we must conclude that practically, in any situation the FR 
reduction is better than the MOV reduction from an algorithmic point of view. 
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Abstract. In m, j- Patarin designed a new scheme, called “Oil and 

Vinegar”, for computing asymmetric signatures. It is very simple, can 

be computed very fast (both in secret and public key) and requires very 

little RAM in smartcard implementations. The idea consists in hiding 

quadratic equations in n unknowns called “oil” and v = n unknowns 

called “vinegar” over a finite field K, with linear secret functions. This 

original scheme was broken in UDI by A. Kipnis and A. Shamir. In this 

paper, we study some very simple variations of the original scheme where 

V > n (instead of u = n). These schemes are called “Unbalanced Oil and 

Vinegar” (UOV), since we have more “vinegar” unknowns than “oil” 

unknowns. We show that, when u ~ n, the attack of UDI can be extended, 

but when v > 2n for example, the security of the scheme is still an 

2 

open problem. Moreover, when u ~ the security of the scheme is 

exactly equivalent (if we accept a very natural but not proved property) 

2 

to the problem of solving a random set of n quadratic equations in ^ 
unknowns (with no trapdoor). However, we show that (in characteristic 
2) when v > , finding a solution is generally easy. Then we will see 

that it is very easy to combine the Oil and Vinegar idea and the HFE 
schemes of M- The resulting scheme, called HFEV, looks at the present 
also very interesting both from a practical and theoretical point of view. 
The length of a UOV signature can be as short as 192 bits and for HFEV 
it can be as short as 80 bits. 



Note: An extended version of this paper can be obtained from the authors. 

1 Introduction 

Since 1985, various authors (see 0, 0, P2i> pni, HZ], PH for example) 
have suggested some public key schemes where the public key is given as a set of 
multivariate quadratic (or higher degree) equations over a small finite field K. 

The general problem of solving such a set of equations is NP-hard (cf 0) 
(even in the quadratic case). Moreover, when the number of unknowns is, say, n > 
16, the best known algorithms are often not significantly better than exhaustive 
search (when n is very small, Grobner bases algorithms are more efficient, cf 0). 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 206- 17?^ 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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The schemes are often very efficient in terms of speed or RAM required in a 
smartcard implementation. (However, the length of the public key is generally 
> 1 Kbyte. Nevertheless, it is sometimes useful to notice that secret key compu- 
tations can be performed without the public key). The most serious problem is 
that, in order to introduce a trapdoor (to allow the computation of signatures 
or to allow the decryption of messages when a secret is known), the generated 
set of public equations generally becomes a small subset of all the possible equa- 
tions and, in many cases, the algorithms have been broken. For example 0 was 
broken by their authors, and were broken. However, many schemes 

are still not broken (for example ^1], Q7], [23), and also in many cases, 

some very simple variations have been suggested in order to repair the schemes. 
Therefore, at the present, we do not know whether this idea of designing public 
key algorithms with multivariate polynomials over small finite fields is a very 
powerful idea (where only some too simple schemes are insecure) or not. 

In this paper, we will present two new schemes: UOV and HFEV. UOV is a 
very simple scheme: the original Oil and Vinegar signature scheme (of jl tij ) was 
broken (see [1 Ojl. but if we have significantly more “vinegar” unknowns than 
“oil” unknowns (a definition of the “oil” and “vinegar” unknowns can be found 
in section 2), then the attack of [in] does not work and the security of this more 
general scheme (called UOV) is still an open problem. We will also study Oil and 
Vinegar schemes of degree three (instead of two) . Then, we will present another 
scheme, called HFEV. HFEV combines the ideas of HFE (of ^5) of vinegar 
variables. HFEV looks more efficient than the original HFE scheme. Finally, in 
section 13, we present what we know about the main schemes in this area of 
multivariate polynomials. 



2 The (Original and Unbalanced) Oil and Vinegar of 
Degree Two 

Let AT = Fq be a small finite field (for example K = F2). Let n and v be two 
integers. The message to be signed (or its hash) is represented as an element of 
iF", denoted hy y = (j/i, ..., j/„). Typically, 9" ~ 2^^® (in section 8, we will see 
that g" ~ 2^^ is also possible). The signature x is represented as an element of 
j^n+v denoted by a; = (a;i, ...,x„+„). 



Secret Key 

The secret key is made of two parts: 

1. A bijective and affine function s : By “affine”, we mean that 

each component of the output can be written as a polynomial of degree one 
in the n + v input unknowns, and with coefficients in K. 

2. A set (5) of n equations of the following type: 

Vi, 1 < i < n, yi = ^ ^ ^ ^ ^ CuOjT ^ ^ ('^)- 
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The coefficients jijk, Kjk, ^ij, and 5i are the secret coefficients of these 
n equations. The values ai, an (the “oil” unknowns) and a[, a(, (the 

“vinegar” unknowns) lie in K. Note that these equations (5) contain no 
terms in OiOj. 



Public Key 

Let A be the element of defined hy A = (oi, a„, a(,). A is trans- 

formed into X = s“^(A), where s is the secret, bijective and affine function from 
j^n+v Each value xji, 1 < i < n, can be written as a polynomial Pi of 

total degree two in the Xj unknowns, 1 < j < n -I- u. We denote by (V) the set 
of the following n equations: 



Vi, 1 < i < n, yi = P^{xi,...,Xn+v) (P)- 

These n quadratic equations (P) (in the n + v unknowns Xj) are the public key. 



Computation of a Signature (with the Secret Key) 

The computation of a signature a; of y is performed as follows: 

Step 1: We find n unknowns oi, ..., a„ of K and v unknowns a{, ..., a(, of K such 
that the n equations (S) are satisfied. This can be done as follows: we randomly 
choose the v vinegar unknowns a(, and then we compute the Oi unknowns from 
(5) by Gaussian reductions (because - since there are no aiGj terms - the (5) 
equations are affine in the ai unknowns when the a( are fixed). 

Remark: If we find no solution, then we simply try again with new random 

vinegar unknowns. After very few tries, the probability of obtaining at least one 
solution is very high, because the probability for a, n x n matrix over Fg to be 
invertible is not negligible. (It is exactly (l — i)(l — ^)...(l — For q = 2, 

this gives approximately 30 %, and for q > 2, this probability is even larger.) 

Step 2: We compute x = s“^(A), where A = (oi, .., a„, a {, ..., a(,). a; is a signature 
of y. 



Public Verification of a Signature 

A signature a; of y is valid if and only if all the {P) are satisfied. As a result, 
no secret is needed to check whether a signature is valid: this is an asymmetric 
signature scheme. 

Note: The name “Oil and Vinegar” comes from the fact that - in the equations 
(S) - the “oil unknowns” ai and the “vinegar unknowns” a( are not all mixed 
together: there are no Uiaj products. However, in (P), this property is hidden by 
the “mixing” of the unknowns by the s transformation. Is this property “hidden 
enough” ? In fact, this question exactly means: “is the scheme secure ?” . When 
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V = n, we call the scheme “Original Oil and Vinegar”, since this case was first 
presented in nni. This case was broken in mu. It is very easy to see that the 
cryptanalysis of m also works, exactly in the same way, when v < n. However, 
the cases v > n are, as we will see, much more difficult. When v > n, we call the 
scheme “Unbalanced Oil and Vinegar” . 



3 Cryptanalysis of the Case v = n (from j1 0] 1 



The idea of the attack of m is essentially the following: In order to separate 
the oil variables and the vinegar variables, we look at the quadratic forms of 
the n public equations of (V), we omit for a while the linear terms. Let Gi for 
1 < i < n be the respective matrix of the quadratic form of Pi of the public 
equations (V). The quadratic part of the equations in the set (5) is represented 



as a quadratic form with a corresponding 2n x 2n matrix of the form 



0 A 
B C 



the upper left n x n zero submatrix is due to the fact that an oil variable is not 
multiplied by an oil variable. After hiding the internal variables with the linear 

/ 0 Ai' 

function s, we get a representation for the matrices Gi = S 



S is an invertible 2n x 2n matrix. 






5% where 



Definition 3.1: We define the oil subspace to be the linear subspace of all 

vectors in whose second half contains only zeros. 

Definition 3.2: We define the vinegar subspace as the linear subspace of all 
vectors in whose first half contains only zeros. 

Lemma 1. Let E and F he a 2n x 2n matrices with an upper left zero n x n 
submatrix. If F is invertible then the oil subspaee is an invariant suhspaee of 
EF~\ 



Proof: see PH. □ 

Definition 3.4: For an invertible matrix Gj, define Gij = GiGj^. 

Definition 3.5: Let O be the image of the oil subspace by S~^. 

In order to find the oil subspace, we use the following theorem: 

Theorem 3.1. O is a common invariant subspace of all the matrices Gij. 



Proof: 



G,j = S 



0 A, 



s\s^y 



0 A, 
Bj C, 




(0 A, 

\b,g, 



-1 






The two inner matrices have the form of E and F in lemma 1. Therefore, the 
oil subspace is an invariant subspace of the inner term and O is an invariant 
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subspace of GiG^ The problem of finding common invariant subspace of set 
of matrices is studied in M- Applying the algorithms in m gives us O. We 
then pick V to be an arbitrary subspace of dimension n such that V + 0 — 
and they give an equivalent oil and vinegar separation. Once we have such a 
separation, we bring back the linear terms that were omitted, we pick random 
values for the vinegar variables and left with a set of n linear equations with n 
oil variables. □ 

Note: Lemma 1 is not true any more when v > n. The oil subspace is still 

mapped by E and F into the vinegar subspace. However F~^ does not necessary 
maps the image by E of the oil subspace back into the oil subspace and this is why 
the cryptanalysis of the original oil and vinegar is not valid for the unbalanced 
case. 



4 Cryptanalysis when t; > n and tt ~ n 



In this section, we will describe a modification of the above attack, that is ap- 
plicable as long as f — n is small (more precisely the expected complexity of the 
attack is approximately • n^). 

Definition 4.1: We define in this section the oil subspace to be the linear 

subspace of all vectors in AT”+’' whose last v coordinates are only zeros. 



Definition 4.2: We define in this section the vinegar subspace to be the linear 
subspace of all vectors in whose first n coordinates are only zeros. 



Here in this section, we start with the homogeneous quadratic terms of the 
equations: we omit the linear terms for a while. The matrices Gi have the rep- 
resentation 



G, = S 



fO A, 



S* 



where the upper left matrix is the n x n zero matrix, Ai is & nx v matrix, Bi is 
a, V X n matrix, Ci is a v x v matrix and S' is a (n -I- r:) x (n -|- u) invertible linear 
matrix. 



Definition 4.3: 



Define Ei to be 




Lemma 2. For any matrix E that has the form (j j ’ following holds: 

a) E transforms the oil subspace into the vinegar subspace. 

b) If the matrix E~^ exists, then the image of the vinegar subspace by E~^ is 
a subspace of dimension v which contains the n-dimensional oil subspace in 
it. 
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Proof: a) follows directly from the definition of the oil and vinegar subspaces. 
When a) is given then b) is immediate. □ 



The algorithm we propose is probabilistic. It looks for an invariant subspace 
of the oil subspace after it is transformed by S. The probability for the algorithm 
to succeed on the first try is small. Therefore we need to repeat it with different 
inputs. We use the following property: any linear combination of the matrices 

El, En is also of the form f ^ ^ V The following theorem explains why an 



invariant subspace may exist with a certain probability. 



Theorem 4.1. Let F be an invertible linear combination of the matrices Ei, 
En- Then for any k such that E'jf^ exists, the matrix FE'^^ has a non trivial 
invariant subspace which is also a subspace of the oil subspace, with probability 
not less than for d = v — n. 



Proof: See the extended version of this paper. 



□ 



Note: It is possible to get a better result for the expected number of eigenvec- 
tors and with much less effort: Ii is a subspace with dimension not less than n — d 
and is mapped by FE^^ into a subspace with dimension n. The probability for a 
non zero vector to be mapped to a non zero multiple of itself is • To get the 
expected value, we multiply it by the number of non zero vectors in Ii . It gives 
a value which is not less than . Since every eigenvector is counted 

q — 1 times, then the expected number of invariant subspcaes of dimension 1 is 
not less than ~ g“‘^. 

We define O as in section 3 and we get the following result for O: 

Theorem 4.2. Let F be an invertible linear combination of the matrices G\, 
..., Gn- Then for any k such that Gf^ exists, the matrix FGf^ has a non trivial 
invariant subspace, which is also a subspace of O with probability not less than 
for d=v-n. 



Proof: 



FGf, ^ — {aiGi + ... -I- o-nGn)Gj^ ^ 



— SiyOiiEi -\- ... -\- anEn')S*'{S^) ^ — S{aiEi ... 0.nEn)Ey, ^ S ^ . 



The inner term is an invariant subspace of the oil subspace with the required 
probability. Therefore, the same will hold for but instead of a subspace 

of the oil subspace, we get a subspace of O. □ 



How to find O ? 

We take a random linear combination of Gi, ..., G„ and multiply it by an 
inverse of one of the Gk matrices. Then we calculate all the minimal invariant 
subspaces of this matrix (a minimal invariant subspace of a matrix A contains 
no non trivial invariant subspaces of the matrix A - these subspaces corresponds 
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to irreducible factors of the characteristic polynomial of A). This can be done 
in probabilistic polynomial time using standard linear algebra techniques. This 
matrix may have an invariant subspace wich is a subspace of O. 

The following lemma enables us to distinguish between subspaces that are 
contained in O and random subspaces. 

Lemma 3. If H is a linear subspace and H C O, then for every x, y in H and 
every i, Gi{x,y) = 0 (here we regard Gi as a bilinear form). 

Proof: There are x' and y' in the oil subspace such that x' = xS and y' = yS. 
G^{x,y) = xS S^y* = iv'Y = 0- 

The last term is zero because x' and y' are in the oil subspace. □ 

Lemma 3 gives a polynomial test to distinguish between subspaces of O and 
random subspaces. If the matrix we used has no minimal subspace which is also 
a subspace of O, then we pick another linear combination of Gi, ..., G„, multiply 
it by an inverse of one of the Gk matrices and try again. After repeating this 
process approximately times, we find with good probability at least one 
zero vector of O. We continue the process until we get n independent vectors of 
O. These vectors span O. The expected complexity of the process is proportional 
to q‘^~^ ■ n^. We use here the expected number of tries until we find a non trivial 
invariant subspace and the term covers the computational linear algebra 
operations we need to perform for evey try. 

5 The Cases t; ~ ^ (or v > 

Property 

Let (A) be a random set of n quadratic equations in (n+v) variables x\, Xn+v 
(By “random” we mean that the coefficients of these equations are uniformly and 
randomly chosen). When u ~ ^ (and more generally when v > ^), there is 
probably - for most of such (A) - a linear change of variables (a;i, ...,Xn+v) 
(x'l, ...,x(j_|_„) such that the set {A') of (A) equations written in (x{, ...,x(j_|_„) is 
an “Oil and Vinegar” system (i.e. there are no terms in x[ ■ x) with i < n and 
j < n). 



An Argument to Justify the Property 

Let 

fa;i = ai^ix'i + 01,22^2 + ' ' ' + Oil,n+vX'n+v 



— ^n+v,2^2 T ’ ‘ ‘ T 



^n-\-v 
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By writing that the coefficient in all the n equations of (^) of all the x' • a;' 

{i < n and j < n) is zero, we obtain a system of n • n • quadratic equations 

in the (n + v) • n variables aij (1 < i < n + v, 1 < j < n). Therefore, when v > 
2 

approximately we may expect to have a solution for this system of equations 
for most of (A). 

Remarks: 

1. This argument is very natural, but this is not a complete mathematical proof. 

2. The system may have a solution, but finding the solution might be a difficult 
problem. This is why an Unbalanced Oil and Vinegar scheme might be secure 
(for well chosen parameters): there is always a linear change of variables that 
makes the problem easy to solve, but finding such a change of variables might 
be difficult. 

3. In section 7, we will see that, despite the result of this section, it is not 
recommended to choose v > n? (at least in characteristic 2). 



6 Solving a Set of n Quadratic Equations in k Unknowns, 
fc > n, Is NP-hard 

(See the extended version of this paper.) 



7 A Generally (but Not Always) Efficient Algorithm for 
Solving a Random Set of n Quadratic Equations in 
(or More) Unknowns 



In this section, we describe an algorithm that solves a system of n randomly 
chosen quadratic equations in n + u variables, when v > n^. 

Let (S) be the following system: 



( 5 ) 



y ] T y ] ^il^i “t“ — 0 

binXi Sn — 0 



The main idea of the algorithm consists in using a change of variables such as: 



X\ — OipJ/l + 02,12/2 + + Otn+y^iUn+v 



0^2,71+17^2 ■■■ O^n+u, 71+77^71+1; 

whose Oij- coefficients (for l<i<n, l<j<n + u) are found step by step, in 
order that the resulting system (5') (written with respect to these new variables 
2 / 1 , ..., Vn+v) is easy to solve. 
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~ We begin by choosing randomly ai,i, ai^n+v 

— We then compute 02 , 1 , •••, 0 : 2 , n+v such that (5') contains no j/ij /2 terms. This 
condition leads to a system of n linear equations on the (n + v) unknowns 
0 : 2 , j (1 < j < n + v): 

aijkai^ia 2 ,j = 0 < k <n). 

— We then compute 03 , 1 , as.n+u such that (5') contains neither yiys terms, 
nor 2 / 22/3 terms. This condition is equivalent to the following system of 2n 
linear equations on the (n + v) unknowns (1 < j < n + v): 

aijkcti, tasj =0 {1 < k <n) 

l<z<j<n+i? 

aijkC( 2 ,ia 3 ,j =0 (1 < A: < n) 

l<z<jf<n+L? 



— Finally, we compute a„p, ..., an, n+v such that (5') contains neither 2/i2/n 
terms, nor 2 / 22 /n terms, ..., nor 2/n-i2/n terms. This condition gives the fol- 
lowing system of (n — l)n linear equations on the (n -I- v) unknowns an,j 
(1 < j < n + v): 



a^ijkkTl,ian,j — 0 

l<z<j<n+i; 

0^ijkC^n—l,iC^n,j — 0 



{I < k < n) 



{I < k < n) 



In general, all these linear equations provide at least one solution (found by 
Gaussian reductions). In particular, the last system of n(n — 1) equations and 
(n + v) unknowns generally gives a solution, as soon as n -I- u > n{n — 1), i.e. 
V > n{n — 2), which is true by hypothesis. 



Moreover, the n vectors 



ai,i 



Q^n.l 



are very likely to be 



\Q^l,n+i; / \^n,n-\-v / 

linearly independent for a random quadratic system (S). 

The remaining ai,j constants (i.e. those with n+l<i<n + v and 1 < j < 
n J- 1) are randomly chosen, so as to obtain a bijective change of variables. 

By rewriting the system (S) with respect to these new variables ?/i, we are 
led to the following system: 



(S') 



' n n 

Pi.lVi =0 

< : 

n n 

i^i,nyi yi^i,n{]Jn-\-l i 2/n+u) Qn{yn-\-l i yn-\-v) — 0 

,,2=1 2=1 



where each Lij is an affine function and each Qi is a quadratic function. 
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We then compute Un+i, ■■■, Vn+v such that: 

Vt, 1 < z < n, Vj, I < j <n + v, L*j(y„+i, y„+„) = 0. 

This is possible because we have to solve a linear system of equations and v 
unknowns, which generally provides at least one solution, as long as v >v? . We 
pick one of these solutions. In general, this gives the yf by Gaussian reduction. 

Then, in characteristic 2, since a: is a bijection, we will then find easily 

a solution for the yi from this expression of the yf. In characteristic yf 2, it will 
also succeed when 2" is not too large (i.e. when n < 40 for example). When n 
is large, there is also a method to find a solution, based on the general theory 
of quadratic forms. Due to the lack of space, this method will be found in the 
extended version of this paper. 

8 A Variation with Twice Smaller Signatures 

In the UOV described in section 2, the public key is a set of n quadratic equations 
yi = Pi ..., Xn+v), for 1 < z < zz, where y = (z/i, ■■■,yn) is the hash value of 
the message to be signed. If we use a collision-free hash function, the hash value 
must at least be 128 bits long. Therefore, g” must be at least 2^^®, so that the 
typical length of the signature, if u = 2rz, is at least 3 x 128 = 384 bits. 

As we see now, it is possible to make a small variation in the signature design 
in order to obtain twice smaller signatures. The idea is to keep the same poly- 
nomial Pi (with the same associated secret key), but now the public equations 
that we check are: 

Vz, Pi (xi , . .. , Xji-\-y ) -t- Li (z/l , . .. , ynj Xi^ . .. , Xji-^y^ — 0, 

where Li is a linear function in (a;i, ..., Xn+v) and where the coefficients of Li are 
generated by a hash function in (j/i, ..., j/„). 

For example Ti(z/i, ...,yn,xi, ...,x„+„) = aiXi + a 2 X 2 + ■■■ + an+yXn+v, where 
(oi, 02 , C(n+v) = Hash (j/i, ..., z/n||z). Now, n can be chosen such that g” > 2®^ 
(instead g” > 2^^®). (Note: g" must be > 2®^ in order to avoid exhaustive search 
on a solution x). If v = 2n and g” ~ 2®^, the length of the signature will be 
3 X 64 = 192 bits. 

9 Oil and Vinegar of Degree Three 

The Scheme 

The quadratic Oil and Vinegar schemes described in section 2 can easily be 
extended to any higher degree. In the case of degree three, the set (5) of hidden 
equations are of the following type: for all i < n, 

Vi = ^ lijkeajaWi + ^ ^ ^ijka'jd'k 

+ ^ ) VijkCljaf. + ^ ^ iijO-j + ^ ' ^ij^j ('^)' 
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The coefficients jijk, Kjk, Vijk, ^ij, Cij Si are the secret coefficients of 

these n equations. Note that these equations {S) contain no terms in ajakCLg or 
in ajUk- the equations are affine in the aj unknowns when the aj, unknowns are 
fixed. 

The computation of the public key, the computation of a signature and the 
verification of a signature are done as before. 

First Cryptanalysis of Oil and Vinegar of Degree Three when v < n 

We can look at the quadratic part of the public key and attack it exactly as for 
an Oil and Vinegar of degree two. This is expected to work when v < n. 

Note: If there is no quadratic part (i.e. is the public key is homogeneous of 

degree three), or if this attack does not work, then it is always possible to apply 
a random affine change of variables and to try again. 

Cryptanalysis of Oil and Vinegar of Degree Three when 

i; < (1 + ^/3)n and K Is of Characteristic ^ 2 (from an Idea of D. 

Coppersmith, cf |3j) 

The key idea is to detect a “linearity” in some directions. We search the set V 
of the values d = (di, ..., dn+v) such that: 

Vx, Vi, 1 < z < n, Pi{x + d) + Pi{x — d) = 2Pi{x) (#). 

By writing that each Xk indeterminate has a zero coefficient, we obtain n- (n + v) 
quadratic equations in the (n + v) unknowns dj. 

(Each monomial XiXjXk gives (xj + dj){xk + dk){xi + di) + {xj — dj){xk — 
dk){xt - di) - 2xjXkXe, i.e. 2{xjdkdi + Xkdjdi + xidjdk).) 

Furthermore, the cryptanalyst can specify about n — 1 of the coordinates dk 
of d, since the vectorial space of the correct d is of dimension n. It remains thus 
to solve n ■ (n + v) quadratic equations in (x + 1) unknowns dj. When v is not 
too large (typically when < n{n + v), i.e. when z; < (1 + -\/3)n), this is 

expected to be easy. As a result when v < approximately (1 + \/3)n and \K\ is 
odd, this gives a simple way to break the scheme. 

Note 1: When v is sensibly greater than (1 + '/S)n (this is a more unbalanced 
limit than what we had in the quadratic case), we do not know at the present 
how to break the scheme. 

Note 2: Strangely enough, this cryptanalysis of degre three Oil and Vinegar 

schemes does not work on degree two Oil and Vinegar schemes. The reason is 
that - in degree two -writing 

Vx, Vz, I < i <n, Pi{x + d) + Pi{x — d) = 2Pi{x) 

only gives n equations of degree two on the (rz + v) dj unknowns (that we do 
not know how to solve). (Each monomial xjXk gives {xj + dj){xk + dk) + {xj — 
S‘j){p^k dk) 2xjXkj i.e. 2djdk.) 
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Note 3: In degree two, we have seen that Unbalanced Oil and Vinegar public 

keys are expected to cover almost all the set of n quadratic equations when 
2 

r; ~ In degree three, we have a similar property: the public keys are expected 
to cover almost all the set of n cubic equations when u ~ ^ (the proof is similar) . 

10 Another Scheme: HFEV 

In the “most simple” HFE scheme (we use the notations of M), we have b = 
/(a), where: 

/(a) = + ^o, (1) 

i,j i 

where f3ij, ai and are elements of the field F^n. Let v be an integer (v will 
be the number of extra Xi variables, or the number of “vinegar” variables that 
we will add in the scheme). Let a' = (a^, ...,a(,) be a w-uple of variables of K. 
Let now each ai of (1) be an element of F^n such that each of the n components 
of at in a basis is a secret random linear function of the vinegar variables a'^, 
..., aj,. And in (1), let now /io be an element of F^n such that each one of the 
n components of in a basis is a secret random quadratic function of the 
variables a{, a'^. Then, the n + v variables oi, ..., a„, a[, ..., a(, will be mixed 

in the secret affine bijection s in order to obtain the variables xi, ..., Xn+v And, 
as before, t{b\, ...,bn) = (yi, ..., y„), where f is a secret affine bijection. Then 
the public key is given as the n equations yi = Pi{xi, ...,Xn+v)- To compute a 
signature, the vinegar values a[, ..., a(, will simply be chosen at random. Then, 
the values and ai will be computed. Then, the monovariate equations (1) will 
be solved (in a) in F^n . 

Example: Let Lf = F 2 . In HFEV, let for example the hidden polynomial be: 

/(fl) = T T T T + /3ifl + /?0i 

where a = (ai, ...,a„) (ai, ..., a„ are the “oil” variables), /3i, /32, /? 4 , /Sg and /3ie 
are given by n secret linear functions on the v vinegar variables and /?o is given 
by n secret quadratic functions on the v vinegar variables. In this example, we 
compute a signature as follows: the vinegar variables are chosen at random and 
the resulting equation of degree 17 is solved in a. 

Note: Unlike UOV, in HFEV we have terms in oilxoil (such as 
etc), oilxvinegar (such as etc) and vinegar x vinegar (in /3o). 

Simulations 

Nicolas Courtois did some simulations on HFEV and, in all his simulations, when 
the number of vinegar variables is > 3, there is no affine multiple equations of 
small degree (which is very nice) . See the extended version of this paper for more 
details. 



218 Aviad Kipnis, Jacques Patarin, and Louis Goubin 



11 Concrete Examples of Parameters for UOV 

At the present, it seems possible to choose for example n = 64, v = 128 (or 
V = 192) and K — ¥ 2 - The signature scheme is the one of section 8, and the 
length of a signature is only 192 bits (or 256 bits) in this case. More examples 
of possible parameters are given in the extended version of this paper. 

Note: If we choose K = ¥2 then the public key is often large. So it is often 

more practical to choose a larger K and a smaller n: then the length of the public 
key can be reduced a lot. However, even when K and n are fixed, it is always 
feasible to make some easy transformations on a public key in order to obtain 
the public key in a canonical way such that this canonical expression is slightly 
shorter than the original expression. See the extended version of this paper for 
details. 

12 Concrete Example of Parameters for HFEV 

At the present, it seems possible to choose a small value for v (for example u = 3) 
and a small value for d (for example n = 77, u = 3, d = 33 and K = F 2 ). The 
signature scheme is described in the extended version of this paper (to avoid the 
birthday paradox) . Here the length of a signature is only 80 bits ! More examples 
of possible parameters are given in the extended version of this paper. 



13 State of the Art (in May 1999) on Pnblic-Key 

Schemes with Mnltivariate Polynomials over a Small 
Finite Field 

Recently, many new ideas have been introduced to design better schemes, such 
as UOV or HFEV described in this paper. Another idea is to fix some variables 
to hide some algebraic properties, and another idea is to introduce a few really 
random quadratic equations and to mix them with the original equations: see 
the extended version of this paper. However, many new ideas have also been 
introduced to design better attacks on previous schemes, such as the - not yet 
published ~ papers P> |2|, 0, |Sj. So the field is fast moving and it can look 
a bit confusing at first. Moreover, some authors use the word “cryptanalysis” 
for “breaking” and some authors use this word with the meaning “an analysis 
about the security” that does not necessary mean “breaking”. In this section, 
we describe what we know at the present about the main schemes. 

In the large families of the public key based on multivariate polynomials over 
a small finite field, we can distinguish between five main families characterized 
by the way the trapdoor is introduced or by the difficult problem on which the 
security relies. In the first family are the schemes “with a Hidden Monomial”, i.e. 
the key idea is to compute an exponentiation a; 1 -^ in a finite field for secret key 
computation. In the second family are the schemes where a polynomial function 
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(with more than one monomial) is hidden. In the third family, the security 
relies on an isomorphism problem. In the fourth family, the security relies on the 
difficulty of finding the decomposition of two multivariate quadratic polynomials 
from all or part of their composition. Finally, in the fifth family, the secret key 
computations are based on Gaussian computations. The main schemes in these 
families are described in the figure below. What may be the most interesting 
scheme in each family is in a rectangle. 



Family 1: C* (1985-1995) 



Schemes with a 
Hidden Monomial 
(ex: Dragons with 
one monomial) 






Family 2: HFE, (polynomial) Dragons, HM 




Family 4: (Original) Oil and Vinegar (1997-1998) 



Family 3: IP 



Unbalanced Oil and Vinegar (UOV) 



Family 5: 2 Round schemes (2R) {D** , 2R with S-boxes, Hybrid 2R) 



2R- 



— C* was the first scheme of all, and it can be seen as the ancestor of all these 
schemes. It was designed in m and broken in ini. 

— Schemes with a Hidden Monomial (such as some Dragon schemes) were 
studied in [SI, where it is shown that most of them are insecure. However, 
C* (studied in [2I|) is (at the present) the most efficient signature scheme 
(in time and RAM) in a smartcard. The scheme is not broken (but it may 
seem too simple or too close to C* to have a large confidence in its security 
...). 

— HFE was designed in The most recent results about its security are in 
m and j2j. In these papers, very clever attacks are described. However, at 
the present, it seems that the scheme is not broken since for well chosen and 
still reasonable parameters the computations required to break it are still 
too large. For example, the first challenge of US $500 given in the extended 
version of PI has not been claimed yet (it is a pure HFE with n = 80 and 
d = 96 over F 2 ). 
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— HFE“ is just an HFE where some of the public equations are not published. 
Due to P and 0, it may be recommended to do this (despite the fact that 
original HFE may be secure without it). In the extended version of m a 
second challenge of US $500 is described on a HFE . 

— HFEV is described in this paper. HFEV and HFEV“ look very hard to 
break. Moreover, HFEV is more efficient than the original HFE and it can 
give public key signatures of only 80 bits ! 

— HM and HM~ were designed in EOl. Very few analysis have been done 
in these schemes (but maybe we can recommend to use HM~ instead of 
HM ?). 

— IP was designed in m IP schemes have the best proofs of security so far 
(see PI). IP is very simple and can be seen as a nice generalization of Graph 
Isomorphism. 

— The original Oil and Vinegar was presented in m and broken in M- 

— UOV is described in this paper. With IP, they are certainly the most simple 
schemes. 

— 2R was designed in HU and HHI Due to 0, it is necessary to have at least 
128 bits in input, and due to 0, it may be wise to not publish all the 
(originally) public equations: this gives the 2R~ algorithms (the efficiency 
of the decomposition algorithms given in 0 on the 2R schemes is not yet 
completely clear). 

Remark 1: These schemes are of theoretical interest but (at the exception of 

IP) their security is not directly relied to a clearly defined and considered to be 
difficult problem. So is it reasonable to implement them in real products ? We 
think indeed that it is a bit risky to rely all the security of sensitive applications 
on such schemes. However, at the present, most of the smartcard applications 
use secret key algorithms (for example Triple-DES) because RSA smartcards 
are more expensive. So it can be reasonable to put in a low-cost smartcard one 
of the previous public key schemes in addition to (not instead of) the existing 
secret key scheme. Then the security can only be increased and the price of 
the smartcard would still be low (no coprocessor needed). The security would 
then rely on a master secret key for the secret key algorithm (with the risk of 
depending on a master secret key) and on a new low-cost public-key scheme (with 
the risk that the scheme has no proof! ! ! of security). It can also be noticed that 
when extremely short signature length (or short block encryption) are required, 
there is no real choice: at the present only multivariate schemes can have length 
between 64 and 256 bits. 

Remark 2: When a new scheme is found with multivariate polynomials, we do 
not necessary have to explain how the trapdoor has been introduced. Then we 
will obtain a kind of “Secret-Public Key scheme” ! The scheme is clearly a Public 
Key scheme since anybody can verify a signature from the public key (or can 
encrypt from the public key) and the scheme is secret since the way to compute 
the secret key computations (i.e. the way the trapdoor has been introduced) has 
not been revealed and cannot be guessed from the public key. For example, we 
could have done this for HFEV (instead of publishing it). 
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14 Conclusion 

In this paper, we have presented two new public key schemes with “vinegar 
variables”: UOV and HFEV. The study of such schemes has led us to analyze 
very general properties about the solutions of systems of general quadratic forms. 
Moreover, from the general view presented in section 13, we see that these two 
schemes are at the present among the most interesting schemes in two of the five 
main families of schemes based on multivariate polynomials over a small finite 
field. Will this still be true in a few years ? 
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Abstract. This paper investigates a novel computational problem, na- 
mely the Composite Residuosity Class Problem, and its applications to 
public-key cryptography. We propose a new trapdoor mechanism and 
derive from this technique three encryption schemes : a trapdoor permu- 
tation and two homomorphic probabilistic encryption schemes computa- 
tionally comparable to RSA. Our cryptosystems, based on usual modular 
arithmetics, are provably secure under appropriate assumptions in the 
standard model. 



1 Background 

Since the discovery of public-key cryptography by Difhe and Heilman E , very 
few convincingly secure asymetric schemes have been discovered despite consi- 
derable research efforts. 

We refer the reader to m for a thorough survey of existing public-key cryp- 
tosystems. Basically, two major species of trapdoor techniques are in use today. 
The first points to RSA and related variants such as Rabin- Williams mm . 
LUC, Dickson’s scheme or elliptic curve versions of RSA like KMOV The 
technique conjugates the polynomial-time extraction of roots of polynomials over 
a finite field with the intractability of factoring large numbers. It is worthwhile 
pointing out that among cryptosystems belonging to this family, only Rabin- 
Williams has been proven equivalent to the factoring problem so far. 

Another famous technique, related to Diffie-Hellman-type schemes (El Carnal 
0 , DSA, McCurley El , etc.) combines the homomorphic properties of the mod- 
ular exponentiation and the intractability of extracting discrete logarithms over 
finite groups. Again, equivalence with the primitive computational problem re- 
mains open in general, unless particular circumstances are reached as described 
in El- 

Other proposed mechanisms generally suffer from inefficiency, inherent se- 
curity weaknesses or insufficient public scrutiny : McEliece’s cryptosystem uni 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 223-ESSI 1999- 
(c) Springer- Verlag Berlin Heidelberg 1999 
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based on error correcting codes, Ajtai-Dwork’s scheme based on lattice prob- 
lems (cryptanalyzed by Nguyen and Stern in eg), additive and multiplica- 
tive knapsack-type systems including Merkle-Hellman m, Chor-Rivest (broken 
by Vaudenay in eg) and Naccache-Stern m ; finally, Matsumoto-Imai and 
Goubin-Patarin cryptosystems, based on multivariate polynomials, were succes- 
sively cryptanalyzed in m and m 

We believe, however, that the cryptographic research had unnoticeably wit- 
nessed the progressive emergence of a third class of trapdoor techniques : firstly 
identified as trapdoors in the discrete log, they actually arise from the common 
algebraic setting of high degree residuosity classes. After Goldwasser-Micali’s 
scheme 0 based on quadratic residuosity, Benaloh’s homomorphic encryption 
function, originally designed for electronic voting and relying on prime residuos- 
ity, prefigured the first attempt to exploit the plain resources of this theory. Later, 
Naccache and Stern m, and independently Okamoto and Uchiyama m signif- 
icantly extended the encryption rate by investigating two different approaches : 
residuosity of smooth degree in and residuosity of prime degree p in ^* 2 ^ 
respectively. In the meantime, other schemes like Vanstone-Zuccherato m on 
elliptic curves or Park- Won m explored the use of high degree residues in other 
settings. 

In this paper, we propose a new trapdoor mechanism belonging to this family. 
By contrast to prime residuosity, our technique is based on composite residuosity 
classes i.e. of degree set to a hard-to- factor number n = pq where p and q are two 
large prime numbers. Easy to understand, we believe that our trapdoor provides 
a new cryptographic building-block for conceiving public- key cryptosystems. 

In sectionsOandig we introduce our number-theoretic framework and inves- 
tigate in this context a new computational problem (the Gomposite Residuosity 
Glass Problem), which intractability will be our main assumption. Further, we 
derive three homomorphic encryption schemes based on this problem, including 
a new trapdoor permutation. Probabilistic schemes will be proven semantically 
secure under appropriate intractability assumptions. All our polynomial reduc- 
tions are simple and stand in the standard model. 

Notations. We set n = pq where p and q are large primes : as usual, we will 
denote by </>(n) Euler’s totient function and by A(n) Garmichael’s functioifl taken 
on n, i.e. ^(n) = (p — l)(g — 1) and A(n) = lcm(p — 1, q — 1) in the present case. 
Recall that |^* 2 | = = n(j){n) and that for any w G Z* 2 , 

J = 1 mod n 

y = 1 mod V? , 

which are due to Garmichael’s theorem. We denote by RSA \n, e] the (conven- 
tionally thought intractable) problem of extracting e-th roots modulo n where 
n = pq is of unknown factorisation. The relation Pi 4= P 2 (resp. P\ = P 2 ) 
will denote that the problem P\ is polynomially reducible (resp. equivalent) to 
the problem P 2 - 



^ we will adopt A instead of A(n) for visual comfort. 
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2 Deciding Composite Residuosity 

We begin by briefly introducing composite degree residues as a natural instance 
of higher degree residues, and give some basic related facts. The originality of our 
setting resides in using of a square number as modulus. As said before, n = pq 
is the product of two large primes. 

Definition 1. A number z is said to be a n-th residue modulo if there exists 
a number y G Z *2 such that 



z = y’^ mod . 

The set of n-th residues is a multiplicative subgroup of Z *2 of order 
Each n-th residue z has exactly n roots of degree n, among which exactly one 
is strictly smaller than n (namely mod n). The n-th roots of unity are the 
numbers of the form (1 -|- n)“ = 1-1- xn mod n^. 

The problem of deciding n-th residuosity, i.e. distinguishing n-th residues 
from non n-th residues will be denoted by CR [n] . Observe that like the prob- 
lems of deciding quadratic or higher degree residuosity, CR [n] is a random-self- 
reducible problem that is, all of its instances are polynomially equivalent. Each 
case is thus an average case and the problem is either uniformly intractable or 
uniformly polynomial. We refer to m for detailed references on random-self- 
reducibility and the cryptographic significance of this feature. 

As for prime residuosity (cf. jblitij l. deciding n-th residuosity is believed to 
be computationally hard. Accordingly, we will assume that : 

Conjecture 2. There exists no polynomial time distinguisher for n-th residues 
modulo n^, i.e. CR [n] is intractable. 

This intractability hypothesis will be refered to as the Decisional Composite 
Residuosity Assumption (DCRA) throughout this paper. Recall that due to the 
random-self-reducibility, the validity of the DCRA only depends on the choice 
of n. 



3 Computing Composite Residuosity Classes 

We now proceed to describe the number-theoretic framework underlying the 
cryptosystems introduced in sections 0 El and El Let g be some element of Z *2 
and denote by £g the integer- valued function defined by 

Z„ X Z* I — > Z*2 

It 77 , 

(x, y) I — > ■ y" mod n^ 

Depending on g, £g may feature some interesting properties. More specifically. 
Lemma 3. If the order of g is a nonzero multiple of n then £g is bijective. 
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We denote by Ba C Z *2 the set of elements of order na and by B their 
disjoint union for a = 1, • • • , A. 

Proof. Since the two groups x Z* and Z *2 have the same number of ele- 
ments n 4 >{n), we just have to prove that £g is injective. Suppose that = 

mod n^. It comes •(y 2 /yi)" = 1 mod nf, which implies ^'’'(“ 2 - 2 : 1 ) _ 

1 mod n^. Thus X{x2 — xi) is a multiple of g’s order, and then a multiple of 
n. Since gcd(A,n) = 1, X 2 — xi is necessarily a multiple of n. Consequently, 
X2 — X1 = 0 mod n and (?/2/yi)" = 1 mod n^, which leads to the unique solution 
yilv\ = 1 over Z*. This means that X2 = xi and y2 = yi - Hence, £g is bijective. 

□ 



Definition 4. Assume that g £ B. For w S ^5^2, we call n-th residuosity class 
of w with respect to g the unique integer a; G Z„ for which there exists y G Z* 
such that 

^g{x,y) = w . 

Adopting Benaloh’s notations 0, the class of w is denoted |w]g. It is worth- 
while noticing the following property : 

Lemma 5. |w]g = 0 if and only if w is a n-th residue modulo n^. Furthermore, 

Vwi, W2 G Z*2 [wiW2]g = |wilg -I- |w2]g mod n 

that is, the class function w 1— *■ |w]g is a homomorphism from (^*2, x) to (Z„, -|-) 
for any g G B. 

The n-th Residuosity Class Problem of base g, denoted Class [n, g], is defined 
as the problem of computing the class function in base g : for a given w G ^*2, 
compute |w]g from w. Before investigating further Class [n,y]’s complexity, we 
begin by stating the following useful observations : 

Lemma 6. Class[n, g] is random- self-reducible over w G ^* 2 - 

Proof. Indeed, we can easily transform any w G Z *2 into a random instance 
w' G Z *2 with uniform distribution, by posing w' = w g°‘/3'^ mod where a 
and P are taken uniformly at random over Z„ (the event /3 ^ Z* occurs with 
negligibly small probability). After |w']g has been computed, one has simply to 
return — a mod n. □ 

Lemma 7. Class [n, g] is random- self -reducible over g G B, i.e. 

Vgi, g 2 G B Class[n,gi] = Class[n,g 2 ] . 



Proof. It can easily be shown that, for any w G Z *2 and gi, g2 G B, we have 

Hgi = l52lg, mod n , (1) 



Public-Key Cryptosystems Based on Composite Degree Residuosity Classes 227 



which yields = |<72lgj^ mod n and thus {g2lg^ is invertible modulo n. 

Suppose that we are given an oracle for Class [n,gi\. Feeding 32 and w into the 
oracle respectively gives |52lg^ and and by straightforward deduction : 

= Ngi 152]”^ mod n . 



□ 



Lemma Q essentially means that the complexity of Class [n,g] is independant 
from g. This enables us to look upon it as a computational problem which purely 
relies on n. Formally, 

Definition 8. We call Composite Residuosity Class Problem the computational 
problem Class [n] defined as follows : given w G Z*2 and g G B, compute |tc]g. 

We now proceed to find out which connections exist between the Composite 
Residuosity Class Problem and standard number-theoretic problems. We state 
first : 



Theorem 9. Class [n] < 1 = Fact[n]. 

Before proving the theorem, observe that the set 

Sn = {u < \ u = 1 mod n} 

is a multiplicative subgroup of integers modulo over which the function L 
such that 

Vu G Sn L(u) = — — 
n 

is clearly well-defined. 

Lemma 10. For any w G Z*2, L{w^ mod n^) = A |wli_|_„ mod n. 

Proof (of Lemma[n^. Since 1 + n G B, there exists a unique pair (a, 6 ) in the 
set X Z* such that w = (1 -I- n)“ 6 ” mod n^. By definition, a = Mi+j,- Then 

= (1 -t- = {1 + = l + aXn mod 



which yields the announced result. 

Proof (of Theorem\^. Since = |1 -I- ^ mod n is invertible, a conse- 

quence of Lemmatnis that mod n^) is invertible modulo n. Now, factoring 
n obviously leads to the knowledge of A. Therefore, for any g G B and w G Z*2, 
we can compute 



L(w;'^ mod n^) -^Mi+n 
L(5^modn2) A|5]^_^„ 



Hl-en 

Mi+u 



Ng mod n , 



( 2 ) 



by virtue of Equation D 



□ 
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Theorem 11. Class [n] <1= RSA[n,n]. 

Proof. Since all the instances of Class [n, g] are computationally equivalent for 
g G B, and since 1 + n S S, it suffices to show that 

Class [n, 1 + n] <1= RSA [n, n] . 

Let us be given an oracle for RSA [n,n]. We know that w = (1 + n)“ • y" mod 
for some x G Zn and y G Therefore, we have w = mod n and we get y 
by giving w mod n to the oracle. From now, 

— = (1 + nY = 1 + xn mod , 

yU 

which discloses x = as announced. □ 

Theorem 12. Let D-Class[ri\ be the decisional problem associated to Class [n] 
i.e. given w G Z* 2 , g G B and x G ILn, decide whether x = |w]^ or not. Then 

CR [n] = D- Class [n] Class [n] . 

Proof. The hierarchy D-Class [n] <1= Class [n] comes from the general fact that 
it is easier to verify a solution than to compute it. Let us prove the left-side 
equivalence. (=1>) Submit wg~^ mod to the oracle solving CR[n]. In case of 
n-th residuosity detection, the equality = 0 implies |w]^ = a: by Lemma 

Eland then answer ”Yes”. Otherwise answer ”No” or ’’Failure” according to the 
oracle’s response. (<;=) Choose an arbitrary g G B (1 -I- n will do) and submit the 
triple {g,w,x = 0) to the oracle solving D-Class [n]. Return the oracle’s answer 
without change. □ 

To conclude, the computational hierarchy we have been looking for was 

CR [n] = D-Class [n] Class [n] RSA [n, n] Fact [n] , (3) 

with serious doubts concerning a potential equivalence, excepted possibly be- 
tween D-Class [n] and Class [n] . Our second intractability hypothesis will be to 
assume the hardness of the Composite Residuosity Class Problem by making the 
following conjecture : 

Conjecture 13. There exists no probabilistic polynomial time algorithm that 
solves the Composite Residuosity Class Problem, i.e. Class [n] is intractable. 

By contrast to the Decisional Composite Residuosity Assumption, this con- 
jecture will be refered to as the Computational Composite Residuosity Assump- 
tion (CCRA). Here again, random-self-reducibility implies that the validity of 
the CCRA is only conditioned by the choice of n. Obviously, if the DCRA is true 
then the CCRA is true as well. The converse, however, still remains a challenging 
open question. 
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4 A New Probabilistic Encryption Scheme 

We now proceed to describe a public-key encryption scheme based on the Com- 
posite Residuosity Class Problem. Our methodology is quite natural : employing 
£g for encryption and the polynomial reduction of Theorem 0for decryption, us- 
ing the factorisation as a trapdoor. 

Set n = pq and randomly select a base g G B : as shown before, this can be 
done efficiently by checking whether 

gcd (L( 5 '^ mod n^),n) = 1 . (4) 

Now, consider (n, g) as public parameters whilst the pair (p, q) (or equiva- 
lently A) remains private. The cryptosystem is depicted below. 



Encryption 








plaintext m < n 






select a random r < 


n 




ciphertext c = ■ 


r" mod 


Decryption 








ciphertext c < n^ 






L(c^ 


mod n^) 




plaintext m = . . 

L(fl^ 


^ ^ mod n 

mod n‘^) 



Scheme 1. Probabilistic Encryption Scheme Based on Composite Residuosity. 



The correctness of the scheme is easily verified from Equation E| and it is 
straightforward that the encryption function is a trapdoor function with A (that 
is, the knowledge of the factors of n) as the trapdoor secret. One-wayness is 
based on the computational problem discussed in the previous section. 

Theorem 14. Scheme 1 is one-way if and only if the Computational Composite 
Residuosity Assumption holds. 

Proof. Inverting our scheme is by definition the Composite Residuosity Class 
Problem. □ 



Theorem 15. Scheme 1 is semantically secure if and only if the Decisional 
Composite Residuosity Assumption holds. 

Proof. Assume that toq and m\ are two known messages and c the ciphertext 
of either mg or mi . Due to Lemma 0 c is the ciphertext of mg if and only 
if cg~'^° mod is a n-th residue. Therefore, a successful! chosen-plaintext at- 
tacker could decide composite residuosity, and vice-versa. □ 
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5 A New One-Way Trapdoor Permutation 

One-way trapdoor permutations are very rare cryptographic objects : we refer 
the reader to for an exhaustive documentation on these. In this section, we 
show how to use the trapdoor technique introduced in the previous section to 
derive a permutation over Z* 2 - 

As before, n stands for the product of two large primes and g is chosen as in 
Equation 0 



Encryption 


plaintext m < 

split m into mi, m2 such that m = mi -|- nm2 
ciphertext c = mod 


Decryption 


ciphertext c < n^ 


Step 1. 


L(c^ mod n^) , 

mod n^) " 


Step 2. 


c = cg~’^^ mod n 


Step 3. 


/n~^ mod A , 

7712 = c mod n 




plaintext m = mi -|- nm2 



Scheme 2. A Trapdoor Permutation Based on Composite Residuosity. 



We first show the scheme’s correctness. Clearly, Step 1 correctly retrieves 
TOi = m mod n as in Scheme 1. Step 2 is actually an unblinding phase which 
is necessary to recover mod n. Step 3 is an RSA decryption with a public 
exponent e = n. The final step recombine^ the original message m. The fact that 
Scheme 2 is a permutation comes from the bijectivity of £g. Again, trapdoorness 
is based on the factorisation of n. Regarding one-wayness, we state : 

Theorem 16. Scheme 2 is one-way if and only if RSA [n, n] is hard. 

Proof, a) Since Class [n] <1= RSA[n,n] (Theorem EJ, extracting n-th roots 
modulo n is sufficient to compute mi from Sgimi^m^). Retrieving then 
requires one more additionnal extraction. Thus, inverting Scheme 2 cannot be 
harder than extracting n-th roots modulo n. b) Conversely, an oracle which 
inverts Scheme 2 allows root extraction : first query the oracle to get the two 

^ note that every public bijection m (mi, m2) fits the scheme’s structure, but 
euclidean division appears to be the most natural one. 
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numbers a and b such that 1 -|- n = g°‘b'^ mod v? . Now ii w = Uq mod n, query 
the oracle again to obtain x and y such that w = mod Since 1 + n G B, 
we know there exists an xq such that w = {1 + n)^°yQ mod n^, wherefrom 

w = (g%^f° mod . 

By identification with w = g^y^ mod n^, we get Xq = xa~^ mod n and finally 
yo = n)f^-xo J^od n which is the wanted value. □ 



Remark 17. Note that by definition of £g, the cryptosystem requires that m 2 G 
Z*, just like in the RSA setting. The case m 2 ^ Z* either allows to factor n or 
leads to the ciphertext zero for all possible values of mi. A consequence of this 
fact is that our trapdoor permutation cannot be employed ad hoc to encrypt 
short messages i.e. messages smaller than n. 



Digital Signatures. Finally, denoting hy h : N 1 -^ {0, 1}^ C Z *2 a hash func- 
tion see as a random oracle | 2 ], we obtain a digital signature scheme as follows. 
For a given message to, the signer computes the signature (si, S 2 ) where 



L{h{m)^ mod n^) 
^ Ij{g^ mod 



mod 



. S 2 = {h{m)g 



_g mod A 



mod n 



and the verifier checks that 



h{m) = g^^S 2 mod . 



Corollary 18 (of Theorem 11 tijl . In the random oracle model, an existential 
forgery of our signature scheme under an adaptive chosen message attack has a 
negligible success probability provided that RSA[n,n\ is intractable. 

Although we feel that the above trapdoor permutation remains of moderate 
interest due to its equivalence with RSA, the rarity of such objects is such that 
we find it useful to mention its existence. Moreover, the homomorphic properties 
of this scheme, discussed in sectionQ could be of a certain utility regarding some 
(still unresolved) cryptographic problems. 

6 Reaching Almost-Quadratic Decryption Complexity 

Most popular public-key cryptosystems present a cubic decryption complexity, 
and this is the case for Scheme 1 as well. The fact that no faster (and still 
appropriately secure) designs have been proposed so far strongly motivates the 
search for novel trapdoor functions allowing increased decryption performances. 
This section introduces a slightly modified version of our main scheme (Scheme 1) 
which features an O decryption complexity. 
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Here, the idea consists in restricting the ciphertext space Z *2 to the sub- 
group < g > of smaller order by taking advantage of the following extension of 
Equation El Assume that g G Ba for some 1 < a < A. Then for any w G<g>, 



Hg 



L(w mod n^) , 

— ^ — — mod n 

L[g^ mod n^) 



( 5 ) 



This motivates the cryptosystem depicted below. 



Encryption : 

plaintext m < n 
randomly select r < n 
ciphertext c = mod 

Decryption : 

ciphertext c < 

L(c“ mod 'n?) 

plaintext m = — ^ mod n 
L(^“ mod rB) 



Scheme 3. Variant with fast decryption. 



Note that this time, the encryption function’s trapdoorness relies on the 
knowledge of a (instead of A) as secret key. The most computationally expensive 
operation involved in decryption is the modular exponentiation c c°‘ mod 
which runs in complexity O (|np|a|) (to be compared to O (|np) in Scheme 1). If 
g is chosen in such a way that |a| = 17 (Inl*^) for some e > 0, then decryption will 
only take O bit operations. To the best of our knowledge. Scheme 3 is the 

only public-key cryptosystem based on modular arithmetics whose decryption 
function features such a property. 

Clearly, inverting the encryption function does not rely on the composite 
residuosity class problem, since this time the ciphertext is known to be an ele- 
ment of <g>, but on a weaker instance. More formally. 

Theorem 19. We call Partial Discrete Logarithm Problem the computational 
problem PDL[n,g] defined as follows : given w G< g >, compute |ui]^. Then 
Scheme 3 is one-way if and only if PDL [n, g\ is hard. 



Theorem 20. We call Decisional Partial Discrete Logarithm Problem the de- 
cisional problem D-PDL[n, g] defined as follows : given w G<g> and x G 
decide whether |u>]g = x. Then Scheme 3 is semantically secure if and only if 
D-PDL[n, g\ is hard. 
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The proofs are similar to those given in section 01 By opposition to the 
original class problems, these ones are not random-self-reducible over g G B but 
over cyclic subgroups of B, and present other interesting characteristics that we 
do not discuss here due to the lack of space. Obviously, 

PDL [n, g] <1= Class [n] and D-PDL [n, g] CR [n] 

but equivalence can be reached when g is of maximal order nX and n the product 
of two safe primes. When g G Ba for some a < A such that |a| = 17 (|n|'^) for 
e > 0, we conjecture that both PDL [n,g] and D-PDL \n,g] are intractable. 

In order to thwart Baby-Step Giant-Step attacks, we recommend the use 
of 160-bit prime numbers for as in practical use. This can be managed by an 
appropriate key generation. In this setting, the computational load of Scheme 3 
is smaller than a RSA decryption with Chinese Remaindering for |n| > 1280. 
Next section provides tight evaluations and performance comparisons for all the 
encryption schemes presented in this paper. 



7 Efficiency and Implementation Aspects 

In this section, we briefly analyse the main practical aspects of computations 
required by our cryptosystems and provide various implementation strategies 
for increased performance. 

Key Generation. The prime factors p and q must be generated according to the 
usual recommandations in order to make n as hard to factor as possible. The fast 
variant (Scheme 3) requires additionally A = lcm(p — 1, g — 1) to be a multiple of 
a 160-bit prime integer, which can be managed by usual DSA-prime generation 
or other similar techniques. The base g can be chosen randomly among elements 
of order divisible by n, but note that the fast variant will require a specific 
treatment (typically raise an element of maximal order to the power A/a). The 
whole generation may be made easier by carrying out computations separately 
mod and mod and Chinese-remaindering g mod p^ and g mod at the 
very end. 

Encryption. Encryption requires a modular exponentiation of base g. The com- 
putation may be significantly accelerated by a judicious choice of g. As an illus- 
trative example, taking g = 2 or small numbers allows an immediate speed-up 
factor of 1/3, provided the chosen value fulfills the requirement g G B imposed by 
the setting. Optionally, g could even be fixed to a constant value if the key gen- 
eration process includes a specific adjustment. At the same time, pre-processing 
techniques for exponentiating a constant base can dramatically reduce the com- 
putational cost. The second computation r” or g"’' mod n? can also be computed 
in advance. 

Decryption. Computing L(m) for u G Sn may be achieved at a very low cost 
(only one multiplication modulo 2 by precomputing n~^ mod 2 The con- 
stant parameter 
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L{g^ mod n^)“^ mod n or L(g“ mod mod n 

can also be precomputed once for all. 

Decryption using Chinese-remaindering. The Chinese Remainder Theo- 
rem 1^ can be used to efficiently reduce the decryption workload of the three 
cryptosystems. To see this, one has to employ the functions Lp and defined 
over 



by 



Sp = {x < \ X = 1 mod p} and Sq = \^x < \ x = 1 mod 9} 



Lp(a;) = - — ^ and ^q{x) = - — ^ 



Decryption can therefore be made faster by separately computing the message 
mod p and mod q and recombining modular residues afterwards : 



nip = Lp(cf~^ mod p^) hp mod p 
mq = Lq{c'^~^ mod q'^) hg mod q 
m = CRT (mp, niq) mod pq 



with precomputations 

hp = ljp{g^~^ mod p^)~^ mod p and 
hq = Lq{g‘^~^ mod mod q . 

where p — 1 and q — 1 have to be replaced by a in the fast variant. 



Performance evaluations. For each |n| = 512, • • • , 2048, the modular mul- 
tiplication of bitsize \n\ is taken as the unitary operation, we assume that the 
execution time of a modular multiplication is quadratic in the operand size and 
that modular squares are computed by the same routine. Chinese remaindering, 
as well as random number generation for probabilistic schemes, is considered to 
be negligible. The RSA public exponent is taken equal to F4 = 2^® -|- 1. The pa- 
rameter g is set to 2 in our main scheme, as well as in the trapdoor permutation. 
Other parameters, secret exponents or messages are assumed to contain about 
the same number of ones and zeroes in their binary representation. 
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Schemes 


Main Scheme 


Permutation 


Fast Variant 


RSA 


ElGamal 


One-wayness 


Class [n] 


RSA [n, n] 


PDL [n, g] 


RSA [ri,F4] 


DH[p] 


Semantic Sec. 


CR[n] 


none 


D-PDL [n, g] 


none 


D-DH [p] 


Plaintext size 


|n| 


2 |n| 


l"l 


|n| 


IpI 


Ciphertext size 


2 |n| 


2 |n| 


2 |n| 


|n| 


2 IpI 



Encryption 




|n|. IpI = 512 


5120 


5120 


4032 


17 


1536 


|n|, IpI = 768 


7680 


7680 


5568 


17 


2304 


|n|. IpI = 1024 


10240 


10240 


7104 


17 


3072 


|n|, IpI = 1536 


15360 


1536 


10176 


17 


4608 


|n|. IpI = 2048 


20480 


20480 


13248 


17 


6144 



Decryption 




|n|. IpI = 512 


768 


1088 


480 


192 


768 


|n|, IpI = 768 


1152 


1632 


480 


288 


1152 


|n|. IpI = 1024 


1536 


2176 


480 


384 


1536 


|n|. IpI = 1536 


2304 


3264 


480 


576 


2304 


|n|, IpI = 2048 


3072 


4352 


480 


768 


3072 



These estimates are purely indicative, and do not result from an actual im- 
plementation. We did not include the potential pre-processing stages. Chinese 
remaindering is taken into account in cryptosystems that allow it i.e. all of them 
excepted ElGamal. 



8 Properties 

Before concluding, we would like to stress again the algebraic characteristics of 
our cryptosystems, especially those of Schemes 1 and 3. 



Random- Self- Reducibility. This property actually concerns the underlying 
number-theoretic problems CR [n\ and Class [n] and, to some extent, their weaker 
versions D-PDL [n, g] and PDL [n, g] . Essentially, random-self-reducible problems 
are as hard on average as they are in the worst case : both RSA and the Discrete 
Log problems have this feature. Problems of that type are believed to yield good 
candidates for one-way functions . 



Additive Homomorphic Properties. As already seen, the two encryption 
functions m i— > g^r"^ mod ir^ and m mod are additively homomor- 

phic on Z„. Practically, this leads to the following identities : 
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Vmi, TO 2 G In and fc G N 



D(E(mi) E(m 2 ) mod n^) 

D(E(m)^ mod n^) 

D(E(mi) < 7 ™^ mod n^) 

D(E(mi)"*^ mod n^) 1 
D(E(m 2 )"*’^ mod n^) J 



= TOi + Tfii mod n 
= km, mod n 
= TOi + m-i mod n 

= TO 1 TO 2 mod n . 



These properties are known to be particularly appreciated in the design of voting 
protocols, threshold cryptosystems, watermarking and secret sharing schemes, 
to quote a few. Server-aided polynomial evaluation (see 1221) is another potential 
field of application. 



Self-Blinding. Any ciphertext can be publicly changed into another one with- 
out affecting the plaintext : 



Vm G Z„ and r G N 

D(E(m) r" mod n^) = m or D(E(m) g"’' mod ri^) = m , 

depending on which cryptosystem is considered. Such a property has potential 
applications in a wide range of cryptographic settings. 

9 Further Research 

In this paper, we introduced a new number-theoretic problem and a related 
trapdoor mechanism based on the use of composite degree residues. We derived 
three new cryptosystems based on our technique, all of which are provably secure 
under adequate intractability assumptions. 

Although we do not provide any proof of security against chosen ciphertext 
attacks, we believe that one could bring slight modifications to Schemes 1 and 
3 to render them resistant against such attacks, at least in the random oracle 
model. 

Another research topic resides in exploiting the homomorphic properties of 
our systems to design distributed cryptographic protocols (multi-signature, se- 
cret sharing, threshold cryptography, and so forth) or other cryptographically 
useful objects. 
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Abstract. Since the DifRe-Hellman paper, asymmetric encryption has 
been a very important topic, and furthermore ever well studied. How- 
ever, between the efficiency of RSA and the security of some less efficient 
schemes, no trade-off has ever been provided. 

In this paper, we propose better than a trade-off; indeed, we first present 
a new problem, derived from the RSA assumption, the “Dependent- 
RSA Problem”. A careful study of its difficulty is performed and some 
variants are proposed, namely the “Decisional Dependent-RSA Prob- 
lem” . 

They are next used to provide new encryption schemes which are both 
secure and efficient. More precisely, the main scheme is proven semanti- 
cally secure in the standard model. Then, two variants are derived with 
improved security properties, namely against adaptive chosen-ciphertext 
attacks, in the random oracle model. Furthermore, all those schemes are 
more or less as efficient as the original RSA encryption scheme and reach 
semantic security. 

Keywords: Public-Key Encryption, Semantic Security, Chosen-Cipher- 
text Attacks, the Dependent-RSA Problem 



Introduction 

Since the seminal Difhe-Hellman paper 0, which presented the foundations of 
the asymmetric cryptography, public-key cryptosystems have been an important 
goal for many people. In 1978, the RSA cryptosystem (2DI was the first appli- 
cation and remains the most popular scheme. However, it does not satisfy any 
security criterion {e.g., the RSA encryption standard PKCS #1 vl.5 has even 
been recently broken and was subject to numerous attacks (broadcast [TT?j . 
related messages 0 . etc). 

Notions of Security. In 1984, Goldwasser and Micali H21 defined some security 
notions that an encryption scheme should satisfy, namely indistinguishability of 
encryptions (a.k.a. polynomial security or semantic security). This notion means 
that a ciphertext does not leak any useful information about the plaintext, but 
its length, to a polynomial time attacker. For example, if an attacker knows that 
the plaintext is either “sell” or “buy” , the ciphertext does not help him. 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 2.19- I7CT1 1999. 

© Springer- Verlag Berlin Heidelberg 1999 
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By the meantime, El Gamal m proposed a probabilistic encryption scheme 
based on the Diffie-Hellman problem P|. Its semantic security, relative to the 
Decisional Diffie-Hellman problem, was formally proven just last year pS| . even 
if the result was informally well known. However this scheme never got very 
popular because of its computational load. 

During the last ten years, beyond semantic security, a new security notion 
has been defined: the non-malleability unj. Moreover, some stronger scenarios of 
attacks have been considered: the (adaptive) chosen- eiphertext attacks lltillHI . 
More precisely, the non-malleability property means that any attacker cannot 
modify a ciphertext while keeping any control over the relation between the re- 
sulting plaintext and the original one. On the other hand, the stronger scenarios 
give partial or total access to a decryption oracle to the attacker (against the 
semantic security or the non-malleability) . Another kind of property for encryp- 
tion schemes has also been defined, called Plaintext- Awareness |3], which means 
that no one can produce a valid ciphertext without knowing the correspond- 
ing plaintext. At last Crypto, Bellare et al. provided a precise analysis of 
all these security notions. The main practical result is the equivalence between 
non-malleability and semantic security in adaptive chosen-ciphertext scenarios. 

New Encryption Schemes. Besides all these strong notions of security, very few 
new schemes have been proposed. In 1994, Bellare and Rogaway 0 presented 
some variants of RSA semantically secure even in the strong sense {i.e. against 
adaptive chosen-ciphertext attacks) in the random oracle model |2|. But we 
had to wait 1998 to see other practical schemes with proofs of semantic secu- 
rity: Okamoto-Uchiyama [m. N accache-Stern HS| and Paillier HS| all based 
on higher residues; Cramer-Shoup |E] based on the Decisional Diffie-Hellman 
problem. Nevertheless, they remain rather inefficient. Indeed, all of them are in 
a discrete logarithm setting and require many full-size exponentiations for the 
encryption process. Therefore, they are not more efficient than the El Gamal 
encryption scheme. 

The random oracle model. The best security argument for a cryptographic pro- 
tocol is a proof in the standard model relative to a well-studied difficult prob- 
lem, such as RSA, the factorization or the discrete logarithm. But no really 
efficient cryptosystem can aspire to such an argument. Indeed, the best encryp- 
tion scheme that achieves chosen-ciphertext security in the standard model was 
published last year |Hj, and still requires more than four exponentiations for an 
encryption. 

In 1993, Bellare and Rogaway | 2 | defined a model, the so-called “Random 
Oracle Model”, where some objects are idealized, namely hash functions which 
are assumed perfectly random. This helped them to design later OAEP |2j, the 
most efficient encryption scheme known until now. In spite of a recent paper jOj 
making people to be careful with the random oracle model, the security of OAEP 
has been widely agreed. Indeed, this scheme is incorporated in SET, the Secure 
Electronic Transaction system m proposed by VISA and MasterGard, and will 
become the new RSA encryption standard PKGS #1 v2.0 pT] . 
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Furthermore, an important feature of the random oracle model is to pro- 
vide efficient reductions between a well-studied mathematical problem and an 
attack. Therefore, the reduction validates protocols together with practical pa- 
rameters. Whereas huge-polynomial reductions, which can hardly be avoided in 
the standard model, only prove asymptotic security, for large parameters. 

As a conclusion, it is better to get an efficient reduction in the random oracle 
model than a complex reduction in the standard model, since this latter does 
not prove anything for practical sizes! 

Aim of our work. Because of all these inefficient or insecure schemes, it is 
clear that, from now, the main goal is to design a cryptosystem that combines 
both efficiency and security. In other words, we would like a semantically secure 
scheme as efficient as RSA. 

Outline of the paper. Our feeling was that such a goal required new al- 
gebraic problems. In this paper, we first present the Computational Dependent- 
RSA problem, a problem derived from the RSA assumption. We also propose a 
decisional variant, the Decisional Dependent-RSA problem. Then, we give some 
arguments to validate the cryptographic purpose of those problems, with a care- 
ful study of their difficulty and their relations with RSA. Namely, the Compu- 
tational Dependent-RSA problem is, in a way, equivalent to RSA. 

Next, we apply them successfully to the asymmetric encryption setting, and 
we present a very efficient encryption scheme with the proof of its semantic secu- 
rity relative to the Decisional Dependent-RSA problem in the standard model. 
Thereafter, we present two techniques to make this scheme semantically secure 
both against adaptive chosen-ciphertext attacks and relative to the Computa- 
tional Dependent-RSA problem in the random oracle model. Both techniques 
improve the security level at a very low cost. 



1 The Dependent-RSA Problems 

As claimed above, the only way to provide new interesting encryption schemes 
seems to find new algebraic problems. In this section, we focus on new problems 
with a careful study of both their difficulty and their relations. 



1.1 Definitions 

For all the problems presented below, we are given a large composite RSA mod- 
ulus N and an exponent e relatively prime to <p{N), the totient function of 
the modulus N. Let us define a first new problem called the Computational 
Dependent-RSA Problem (C-DRSA). 

Definition 1 (The Compntational Dependent RSA: C-DRSA{N,e)). 
Given: a G 

Find: (a -I- 1)® mod N, where a = a® mod N . 
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Notation: We denote by Succ(y^) the success probability of an adversary A: 



Succ(_4) = Pr A{af mod N) = (a + 1)® mod N 



1 



N 



As it has already been done with the Diffie-Hellman problem |0|, we can define 
a decisional version of this problem, therefore called the Decisional Dependent- 
RSA Problem (D-DRSA): Given a candidate to the Computational Dependent- 
RSA problem, is it the right solution? This decisional variant will then lead to 
a semantically secure encryption scheme. 



Definition 2 (The Decisional Dependent— RSA: D-DRSA{N,e)). 
Problem: Distinguish the two distributions 

TZand = |(a, 7 ) = (a® mod N, c® mod N) a,c i 

VTZSA = I (a, 7 ) = (a® mod N, (a + 1)® mod N) a ^ ■ 

Notation: We denote by Adv(A) the advantage of a distinguisher A: 



Adv(A) 



Pr [A(o, 7 ) 

l■cand 



1 ] 



Pr 

VTISA 



[A{a, 7 ) = 1] ■ 



1.2 The Dependent— RSA Problems and RSA 

In order to study those Dependent-RSA problems, we define a new one, we call 
the Extraction Dependent-RSA Problem (E-DRSA): 

Given: a = G and 7 = (a + 1)® G Z^ ; 

Find: a mod N. 

One can then prove that extraction of e-th roots is easier to solve than 
the Computational Dependent-RSA problem and the Extraction Dependent- 
RSA problem together. 

Theorem 3. RSA(N,e) 4=^ E-DRSA(N,e) + C-DRSA(N,e). 

Proof. Let A be an E-DRSA adversary and B a C-DRSA adversary. For a given 
c = mod A, an element of Z^, whose e-th root is wanted, one uses B to 
obtain (a -I- 1)® mod N and gets a from A(a® mod A, (a -I- 1)® mod A). 

The opposite direction is trivial, since extraction of e-th roots helps to solve 
all the given problems. □ 

Furthermore, it is clear that any decisional problem is easier to solve than 
its related computational version, and trying to extract a, it is easy to decide 
whether the given 7 is the right one. Finally, for any (A, e), the global picture is 

C-DRSA + E-DRSA ^ RSA C-DRSA, E-DRSA D-DRSA, 

where A B means that an oracle that breaks A can be used to break B 
within a time polynomial in the size of A. 
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2 How To Solve the Dependent— RSA Problems? 

In order to use these problems in cryptography, we need to know their practical 
difficulty, for reasonable sizes. Hopefully, some of them have already been studied 
in the past. Indeed, they are related to many properties of the RSA cryptosystem, 
namely its malleability, its security against related-message attacks |2| and in 
the multicast setting m- 

Concerning the Extraction Dependent-RSA problem, some methods have 
been proposed by Coppersmith et al. 0, trying to solve the related-message 
system: 

( a = TO® mod N 
/3 = (to -b 1)® mod N 



2.1 A First Method: Successive Eliminations 

Let us assume that e = 3, then it is possible to successively eliminate the powers 
of TO and express to from a and /3: 

{ a = m? mod N 

13 = (to + 1)^ = TO^ + + 3to + 1 mod N 

= 0 - 1 - 3to^ + 3to + 1 mod N 



{ TO X {P — a) — 3a = 3w? + to mod N 

P — a = {3mP + m) + 2m + 1 mod N 

= TOX {P — a + 2) — 3a+l mod N 

Then, to = mod N. 

’ P-a+2 

First, Coppersmith et al. j7] claimed that for each e, there exist polynomials 
P and Q such that each can be expressed as rational polynomials in A® and 
(A + 1)®, and such that Q(A) = AP(A). Then to = Q{m) / P{m). However, the 
explicit expression of to as a ratio of two polynomials in a and P requires 0(e^) 
coefficients, furthermore it is not obvious how to calculate them efficiently. 
Consequently, this first method fails as soon as e is greater than, say 



2.2 A Second Method: Greatest Common Divisor 

A second method comes from the remark that to is a root for both the polyno- 
mials P and Q over the ring Z ^r, where. 

P(A) = A® - a and Q{X) = (A -b 1)® - p. 

Then A — to is a divisor of the gcd of P and Q. Furthermore, one can see that 
with high probability, it is exactly the gcd. A straightforward implementation 
of Euclid’s algorithm takes 0{e^) operations in the ring 1m- More sophisticated 
techniques can be used to compute the gcd in O(elog^e) time [22! • Then, this 
second method fails as soon as e is greater than 2®°. 
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2.3 Consequences on the Computational Dependent RSA Problem 

Since the RSA cryptosystem appeared I2D1, many people have attempted to find 
weaknesses. Concerning the malleability of the encryption, the multiplicative 
property is well-known. In other words, it is easy to derive the encryption of 
TO X to' from the encryption of to, for any m' , without knowing the message 
TO itself. However, from the encryption of an unknown message m, nothing has 
been found to derive the encryption of to -I- 1 whatever the exponent e may be. 

Concerning the Extraction Dependent-RSA problem, one can then state the 
following theorem: 

Theorem 4. There exist algorithms that solve the problem E-DRSA{N, e) in 
e X |ep) time. 

In conjunction with the Theorem 01 we can therefore claim that 

Theorem 5. There exists a reduction from the RSA problem to the Computa- 
tional Dependent-RSA problem in 0{\N\'^,e x |ep) time. 

Then, for any fixed exponent e, RSA{N, e) is reducible to C-DRSA{N, e) poly- 
nomially in the size of N, since the Extraction Dependent-RSA problem is “easy” 
to solve, using the gcd technique (see the previous version). 

Anyway, computation of e-th roots seems always required to solve the Com- 
putational Dependent-RSA problem, which is intractable for any exponent e, 
according to the RSA assumption. 

Conjecture 6. The Computational Dependent-RSA problem is intractable for 
large enough RSA moduli. 

Remark 7. Because of the TheoremlH] this conjecture holds for small exponents, 
since then C-DRSA is as hard as RSA. 

2.4 About the Decisional Dependent RSA Intractability 

The gcd technique seems to be the best known attack against the Decisional 
Dependent-RSA problem and is impractical as soon as the exponent e is greater 
than 2®°. Which leads to the following conjecture: 

Conjecture 8. The Decisional Dependent-RSA problem is intractable as soon as 
the exponent e is greater than for large enough RSA moduli. 

3 Security Notions for Encryption Schemes 

For the formal definitions of all the kinds of attacks and of security notions, 
we refer the reader to the last Crypto paper P^. However, let us briefly recall 
the main security notion, the semantic security (a.k.a. indistinguishability of 
encryptions) defined by Goldwasser and Micali [II 2] . For this notion, an attacker 
is seen as a two-stage ( “find-and-guess” ) Turing machine which first chooses two 
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Fig. 1. The DRSA Encryption Scheme 



messages, during the “find”-stage. In the second stage, the “guess” -stage, she 
receives a challenge, which is the encryption of one of both chosen messages, 
and has to guess which one is the corresponding plaintext. 

In the public-key setting, any attacker can play a chosen-plaintext attack, 
since she can encrypt any message she wants. However, stronger attacks has been 
defined. First, Naor and Yung m defined the chosen- ciphertext attack (a.k.a. 
lunchtime attack) where the attacker has access to a decryption oracle during 
the “find”-stage, to choose the two plaintexts. Then, Rackoff and Simon m 
improved this notion, giving the decryption oracle access to the attacker in both 
stages (with the trivial restriction not to ask the challenge ciphertext). This 
attack is known as adaptive chosen-ciphertext attack and is the strongest that 
an attacker can play, in the classical model. 

The aim of this paper is to provide a new efficient scheme, semantically secure 
against adaptive chosen-ciphertext attacks. 

4 The DRSA Encryption Scheme 

The Dependent-RSA problem can be used, like the Difiie-Hellman problem |2|, 
to provide encryption schemes. An RSA version of the El Gamal encryption CD 
is then proposed with some security properties, namely semantic security against 
chosen-plaintext attacks. In the next section, we propose two variants with very 
interesting improved security properties together with high efficiency. 

4.1 Description 

The scheme works as described in figure [D We are in the RSA setting: each user 
publishes an RSA modulus N while keeping secret the prime factors p and q. He 
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also chooses a public exponent e and its inverse d modulo The public key 

consists in the pair (N, e), while the secret key is the private exponent d (it can 
also consists in the prime factors p and q to improve the decryption algorithm 
efficiency, using the Chinese Remainders Theorem). To encrypt the message 
TO G {0, . . . , — 1} to Alice whose public key is {N, e), Bob chooses a random 

k G and computes A= mod N as well as R = to x (A: + 1)® mod N. He 
sends the pair {A,B) to Alice. When she receives a pair {A,B), Alice computes 
k = A'^ mod N and recovers the plaintext to = B/{k + 1)® mod N. 

4.2 Security Properties 

The same way as for the El Carnal encryption scheme, one can prove the semantic 
security of this scheme. 

Theorem 9. The DRSA encryption scheme is semantically secure against cho- 
sen-plaintext attacks relative to the Decisional Dependent-RSA problem. 

Proof. Let us consider an attacker A = (Ai,A 2 ) who can break the semantic 
security of this scheme within a time t and with an advantage, in the “guess” - 
stage, greater than £. 

In the figure beside, we construct a 
D-DRSA adversary, B, who is able 
to break the Decisional Dependent- 
RSA problem for the given public key 
{N, e) with an advantage greater than 
e/2 and a similar running time. The 
equivalence between the semantic se- 
curity and the Decisional Dependent- 
RSA problem will follow, since the op- 
posite direction is straightforward. 

On one hand, we have to study the probability for A 2 to answer c = b when 
the pair (a, 7) comes from the random distribution. But in this case, one can 
see that the pair {A, B) G {(r®, mts^) | r, s G is uniformly distributed in the 
product space x hence independently of b. Then 

Pr = 1] = Pr [c = b] = ^. 

Kand Kand Z 

On the other hand, when the pair (a, 7) comes from the DTZSA distribution, 
one can remark that (A, B) is a valid ciphertext of mb, following a uniform 
distribution among the possible ciphertexts. Then 

Pr J^(a.7) = 1] = Pr [c = &] = Pr[A2(s,TOo,TOi,£:(TOh)) = b] ‘^= 

VTZoA VTZSA b Z Z 



B{a,j): 

Run Ai{pk) 

Get Too, TOi, s 

Randomly choose 6 G {0, 1} 
A = a, B = mb ■ 7 mod N 
Run ^2(3 , Too, TOi, (A, R)) 
Get c 

if c = 6 Return 1 
else Return 0 



The advantage of B in distinguishing the DTZSA and the TZand distributions is 
Adv(,8) = Adv'^/2, and therefore greater than e/2. □ 
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Initialization 





i, security parameter 

N — pq, a large RSA modulus 

e, an exponent, relatively prime to p{N) 

h :'En 'X 'Zn {0, 1}^, a hash function 

Public key: {N, e) 

Secret key: d = e~^ mod p{N) 



Encryption of m € {0, ... , N — 1} 

k 

A = mod N 
B = m X {k + 1)‘^ mod N 
H = h{m,k) e {0,1}'^ 

Then, C = {A, B, H) 









Decryption of C = (A, B, H) 


k^A"^ mod N 
m = B/(k + l)^ mod N 

7 

B: = h{m, k) 



Fig. 2. First Variant: The DRSA-1 Encryption Scheme 



5 Some Variants 

As it has already been remarked, attackers can be in a stronger scenario than 
the chosen-plaintext one. Now, we improve the security level, making the scheme 
resistant to adaptive chosen-ciphertext attacks, in the random oracle model. In a 
second step, we weaken the algorithmic assumption: an attacker against the se- 
mantic security of the second variant, in an adaptive chosen-ciphertext scenario, 
can be used to efficiently break the Computational Dependent-RSA problem, 
and not only the Decisional Dependent-RSA problem. 

Furthermore, it is important to remark that both improvements are very 
low-cost on both a computational point of view and the size of the ciphertexts. 

5.1 Description of the First Variant: DRSA-1 

The scheme works as described in figure El where h is a hash function, seen 
like a random oracle which outputs f-bit numbers. The initialization is un- 
changed. To encrypt a message toG{ 0,...,A — l}to Alice whose public key 
is {N, e), Bob chooses a random k G and computes A = mod N as well 
as B = m X {k + 1)® mod N and the control padding H = h{m, k). He sends 
the triple {A,B,H) to Alice. When she receives a triple {A,B,H), Alice first 
computes the random value k = A‘^ mod N and recovers the probable plaintext 
m = B/{k + 1)® mod N. She then checks whether they both satisfy the control 
padding H = h{m, k). 
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5.2 Security Properties 

Concerning this scheme, we claim the following result: 

Theorem 10. The DRSA-1 encryption scheme is semantically secure against 
adaptive chosen- ciphertext attacks relative to the Decisional Dependent-RSA 
problem in the random oracle model. 



Proof. This proof is similar to the previous one except two simulations. In- 
deed, we first have to simulate the random oracle, and more particularly for 
the challenge ciphertext, which is the triple {A = a, B = mb x 7 , il), where H 
is randomly chosen in {0, 1}^. But for any new query to the random oracle, one 
simply returns a new random value. Furthermore, any query (m, k) to the ran- 
dom oracle is filtered: if fc® = a mod N , then we stop the game, and whether 
7 = (A: -|- 1)® mod N we output 1 or 0. Secondly, since we are in an adaptive 
chosen-ciphertext scenario, we have to simulate the decryption oracle: when the 
adversary asks a query {A\ B' , H'), the simulator looks in the table of the queries 
previously made to the random oracle to find the answer H' . Then, two cases 
may appear: 

— H' has been returned by the random oracle and corresponds to a query (m, k) 
(there may be many queries corresponding to this answer). The simulator 
checks whether A' = A:® mod N and B' = m x {k 1)® mod N. Then it re- 
turns m as the decryption of the triple {A' , B' , H'). Otherwise, the simulator 
considers that it is an invalid ciphertext and returns the reject symbol 

— Otherwise, the simulator returns the reject symbol . 



The bias is the same as above when all the simulations are correctly made. 
Concerning the simulation of the random oracle, it is perfectly made, because 
of the randomness of the answers. However, some decryptions may be incorrect, 
but only refusing a valid ciphertext: a ciphertext is refused if the query (m, k) 
has not been asked to the random oracle h. However, the attacker might have 
guessed the right value for h{m, k) without having asked for it, but only with 
probability 1 / 2 ^. 

Then, if the pair (a, 7 ) comes from the DTZSA distribution, since the prob- 
ability of success can be improved if the adversary guesses the e-th root of a, 
which had led to stop the game with an answer 1 , 



Pr 

vnsA 



[B{a, 7 ) = 1] > i -h 



Adv-^ 

2 



Qd 

2^ 



where the adversary asks at most qd queries to the decryption oracle. However, 
if the pair (a, 7 ) comes from the random distribution, for the same reason as in 
the previous proof, the adversary cannot gain any advantage, except the case 
where she had guessed the e-th root of a, but then, B likely outputs 0: 

Pr [B{a,'y) = 1] < ^ — Pr[a‘^ guessed] < i. 

TZand 2 2 



Therefore, Adv(, 8 ) > 



Adv' 



XI 



(D 

2 ^' 



□ 



2 
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5.3 Description of the Second Variant: DRSA-2 

We can furthermore weaken the algorithmic assumption, making the scheme 
equivalent to the computational problem rather than to the decisional one. The 
variant works as described in figure 01 where h\ and /i 2 are two hash functions, 







Initialization 





fci, size of the plaintext 

^ 2 , security parameter 

N = pq, a large RSA modulus 

e, an exponent, relatively prime to ip{N) 

hi : Zjv {0, a hash function 

/i 2 : {0, 1}*^^ X Zjv {0, a hash function 

Public key: {N, e) 

Secret key: d = e~^ mod p{N) 





Encryption of m ^ {0, 1}^^ 


k Gr Z^ 

A = mod N 
B — m(B hi{{k + 1)® mod N) 
H = h2{m, k) 

Then, C = (A, B, H) 








Decryption of C = {A, B, H) 


k = A“ mod N 
m = B (B hi{(k + 1)® mod N) 
B: = h2{m, k) 



Fig. 3. Second Variant: The DRSA-2 Encryption Scheme 



seen like random oracles which output /ci-bit numbers and /c 2 -bit numbers re- 
spectively. The initialization is unchanged. To encrypt a message m G {0, 1}^^ 
to Alice whose public key is {N, e). Bob chooses a random k G and computes 
A= mod N. He can then mask the message in B = to 0 + 1)® mod N), 

a fci-bit long string and compute the control padding H = /i 2 (to, k) G {0, 1}^^. 
He sends the triple {A, B, H) to Alice. When she receives a ciphertext {A, B, H), 
Alice first computes the random value k = A‘^ mod N. She can therefore recover 
the probable plaintext m = B (B hi{{k + 1)® mod N). Then, she checks whether 
they both satisfy the control padding, H = /i 2 (to, k). 

Theorem 11. The DRSA-2 encryption scheme is semantically secure against 
adaptive chosen-ciphertext attacks relative to the Dependent-RSA problem in the 
random oracle model. 

Proof. The result comes from the fact that any attacker cannot gain any advan- 
tage in distinguishing the original plaintext (in an information theoretical sense) 
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if she has not asked for any (*, k) to /12 (which is called “event 1” and denoted 
by El) or for {k + 1)® mod N to h\ (which is called “event 2” and denoted by 
E 2 ). Then, for a given a = mod N, either we learn the e-th root of a, or 
(o + ly mod N is in the list of the queries asked to h\. Both cases lead to the 
computation of (a + 1)® mod N. 

More precisely, let A = (^ 1 ,^ 2 ) be an attacker against the semantic se- 
curity of the DRSA-2 encryption scheme, using an adaptive chosen-ciphertext 
attacker. Within a time bound t, she asks qd queries to the decryption oracle 
and Qh queries to the random oracles and distinguishes the right plaintext with 
an advantage greater than e. We can use her to provide an algorithm that solves 
the Computational Dependent-RSA problem, simply filtering the queries asked 
to the random oracles. 

Actually, because of the randomness of the random oracle hi, if no critical 
queries have been asked. 



1 Ad 

Fr[A2{s,mo,mi,S{mb)) = b] = - ± — — 

b Z Z 

= Pr[A2 = 6 A ^(Ei V E 2 )] -I- Pr[A2 = 6 A (Ei V E 2 )] 

h b 

= Pr[^(Ei V E 2 )] X 1/2 -I- Pr[A 2 = 6 A (Ei V E 2 )]. 

b 

Then, ±Adv"^ = Pr[Ei V E 2 ] — 2 x Pr[A 2 (s, toq, mi,£{mb)) = b A (Ei V E 2 )], and 

b 

both cases imply Pr[Ei V E 2 ] > Adv”^. 

Using our simulations, namely for the decryption oracle, we obtain, as pre- 
viously seen, 

Pr[(Ei V E 2 ) A no incorrect decryption] > Adv"^ — x 2“^^. 



For the reduction, one just has to randomly choose the query which should 
correspond to (a -I- 1)® mod N. With probability greater than l/qn, it is a good 
choice (or maybe, event 2 happens, but we assume the worst case). Then, with 
probability greater than (Adv^ — qdj2^y jqh, within roughly the same running 
time as the adversary A, one obtains the right value for (a -I- 1)® mod N corre- 
sponding to the given a = a® mod N. □ 



6 Efficiency 

Now that we know that these schemes are provably secure, let us compare them 
with other well-known cryptosystems from a computational point of view. And 
first, let us briefly recall the three other schemes we will consider: 

El Gamal. An authority chooses and publishes two large prime numbers p and 
q such that g is a large prime factor of p — 1, together with an element g of Z* 
of order q. Each user chooses a secret key x in Z* and publishes y = mod p. 
To encrypt a message m, one has to choose a random element A: in Z* and sends 
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the pair (r = mod p, s = m x mod p) as the ciphertext. The recipient can 
recover the message from a pair (r, s) since m = s/r“ mod p, where x is his 
secret key. To reach semantic security this scheme requires m to be in the 
subgroup generated by g. To be practical, one can choose p = 2q + 1, a, strong 
prime, which consequently increases the number of multiplications to be made 
for an encryption. We do not consider any variant of El Gamal, since all are 
much heavier to implement. 

RSA. Each user chooses a large RSA modulus N = pq of size n together 
with an exponent e. He publishes both and keeps secret the private exponent 
d = e~^ mod <p{N). To encrypt a message m, one just has to send the string 
c = mod N. To recover the plaintext, the recipient computes = m mod N . 

Optimal Asymmetric Encryption Padding. The RSA variant, OAEP, was the 
most efficient scheme, from our knowledge: An authority chooses and publishes 
two hash functions g and h which both output n/2-bit strings. Each user chooses 
as above a public key {N, e), where N is a n-bit long RSA modulus, and keeps 
secret the exponent d. To encrypt a message m, one has to choose a random 
element r, computes A = (m||0^^) © g{r) and B = r (B h{A) and finally sends 
C = (A||R)® mod N. The recipient can recover the message from C first com- 
puting A\\B = mod TV, then r = B (B h{A) and M = A © g{r). If M ends 
with k\ zero bits, then m is the beginning of M . 

Both encryption schemes (the original RSA and OAEP) essentially require 
one exponentiation to the power e per encryption. And as one can remark, they 
depend on the message, and then has to be done online. 

Precomputations. In the same vein as a last Eurocrypt paper 0, our scheme 
allows precomputations. Indeed, a user can precompute many pairs for a given 
recipient, i.e., (a® mod N, (a + I)® mod N). Then an encryption only requires 
one multiplication, or even a XOR. However, to be fair, in the following, we 
won’t consider this feature. 

Efficiency Comparison. One can see, on figure 21 a brief comparison ta- 
ble involving our schemes together with the El Gamal encryption scheme (with 
a 512-bit long prime p = 2q + 1), the RSA cryptosystem and its OAEP ver- 
sion. Because of the new 140-digit record for factorization, for a similar security 
level between factorization-based schemes and discrete logarithm-based ones, we 
consider 1024-bit RSA-moduli: n = |A^| = 1024, e = 65537 = 2^® + 1, and fur- 
thermore fci = 64 for OAEP. Goncerning our DRSA encryption schemes, we also 
use a 1024-bit long modulus N . However, whereas we can use e = 65537 (even 
smaller, such as e = 3, since related-message attacks seem to not be applica- 
ble) in schemes based on the Gomputational Dependent-RSA problem (such 
as the DRSA-2 scheme), we need to use a larger exponent with the Decisional 
Dependent-RSA-based schemes, to avoid attacks presented above against the 
semantic security. Then, we use e = 2®^ + 3, which is a prime integer, in the 
DRSA and in the DRSA-1 schemes. 



252 



David Point cheval 



Schemes 


RSA 

1024 


OAEP 

1024 


El Gamal 
512 


DRSA 

1024 


DRSA-1 

1024 


DRSA-2 

1024 


Security 


Inversion 


RSA 


RSA 


DH 


C-DRSA 


C-DRSA 


C-DRSA 


CPA-IND 


- 


RSA* 


D-DH 


D-DRSA 


D-DRSA* 


C-DRSA* 


CCA2-IND 


- 


RSA* 


- 


- 


D-DRSA* 


C-DRSA* 


Size (in bits) 


Plaintext 


1024 


448 


511 


1024 


1024 


1024 


2048 


Ciphertext 


1024 


1024 


1024 


2048 


2208 


2208 


3232 


Expansion 


1 


2.3 


2 


2 


2.2 


2.2 


1.6 


Encryption 


Workload 


17 


17 


384 


139 


139 


35 


35 


Workload/kB 


136 


311 


6144 


1112 


1112 


280 


140 


Decryption 


Workload 


384 


384 


192 


523 


523 


419 


419 


Workload/kB 


3072 


7022 


3072 


4184 


4184 


3352 


1676 



* in the random oracle model 



Fig. 4. Efficiency of Encryptions and Decryptions 



Remark 12. In this table, the basic operation is the modular multiplication with 
a 1024-bit long modulus. We assume that the modular multiplication algorithm 
is quadratic in the modulus size and that modular squares are computed with 
the same algorithm. Furthermore, in the decryption phase, we use the CRT when 
it is possible. 

CPA-IND and CCA2-IND both follow the notations of the Bellare et al. 
paper mean the indistinguishability of encryptions (a.k.a. semantic se- 

curity) against chosen-plaintext attacks and adaptive chosen-ciphertext attacks 
respectively. 

One can remark that our new scheme, in its basic version (DRSA-1024 bits), 
can encrypt 6 times faster than El Gamal-512 bits and decrypt in essentially 
the same time. Therefore, the DRSA encryption schemes becomes the most 
efficient scheme provably semantically secure against chosen-plaintext attacks in 
the standard model. 

If we consider the security in the random oracle model, the DRSA-1 scheme 
reaches the security against adaptive chosen-ciphertext attacks with an un- 
changed efficiency. 

However, the most interesting scheme is the DRSA-2 cryptosystem that 
reaches semantic security both against adaptive chosen-ciphertext attacks and 
relative to the Computational Dependent-RSA problem, in a situation where it 
is practically equivalent to the RSA problem. Indeed, a smaller exponent, such 
as e = 65537 (or even 3), can be used, hence an improved efficiency is obtained: 
with k\ = |A^| = 1024, this scheme is already faster than OAEP, for both en- 
cryption and decryption. Furthermore, with larger k\ {e.g. k\ = 2048, such as in 
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the last column), this scheme can reach higher rates, and even get much faster 
than the original RSA encryption scheme. 

Conclusion 

Therefore, we have presented three new schemes with security proofs and record 
efficiency. Indeed, the DRSA cryptosystem is semantically secure against chosen- 
plaintext attacks in the standard model, relative to a new difficult problem (the 
inversion problem is equivalent to RSA in many cases) , with an encryption rate 
6 times faster than El Gamal (with similar security levels: RSA-1024 bits vs. 
El Gamal-512 bits). 

Next, we have presented two variants semantically secure against adaptive 
chosen-ciphertext attacks in the random oracle model (they can even be proven 
plaintext-aware m)- Furthermore, the DRSA-2 scheme is more efficient than 
RSA, and therefore much more efficient than OAEP, with an equivalent secu- 
rity, since for those parameters, the Gomputational Dependent-RSA problem is 
practically equivalent to the RSA problem. 



Acknowledgments 

I would like to thank the anonymous Eurocrypt ’99 referees for their valuable 
comments and suggestions, as well as Jacques Stern for fruitful discussions. 

References 

1. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations Among Notions 
of Security for Public-Key Encryption Schemes. In Crypto ’98, LNCS 1462, pages 
26-45. Springer- Verlag, 1998. 

2. M. Bellare and P. Rogaway. Random Oracles are Practical: a Paradigm for De- 
signing Efficient Protocols. In Proc. of the 1st CCCS, pages 62-73. ACM press, 
1993. 

3. M. Bellare and P. Rogaway. Optimal Asymmetric Encryption - How to Encrypt 
with RSA. In Eurocrypt ’94, LNCS 950, pages 92-111. Springer- Verlag, 1995. 

4. D. Bleichenbacher. A Chosen Ciphertext Attack against Protocols based on the 
RSA Encryption Standard PKCS ffl. In Crypto ’98, LNCS 1462, pages 1-12. 
Springer- Verlag, 1998. 

5. V. Boyko, M. Peinado, and R. Venkatesan. Speedings up Discrete Log and Factor- 
ing Based Schemes via Precomputations. In Eurocrypt ’98, LNCS 1403. Springer- 
Verlag, 1998. 

6. R. Canetti, O. Goldreich, and S. Halevi. The Random Oracles Methodology, Re- 
visited. In Proc. of the 30th STOC. ACM Press, 1998. 

7. D. Coppersmith, M. Franklin, J. Patarin, and M. Reiter. Low-Exponent RSA with 
Related Messages. In Eurocrypt ’96, LNCS 1070, pages 1-9. Springer- Verlag, 1996. 

8. R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure 
against Adaptive Chosen Ciphertext Attack. In Crypto ’98, LNCS 1462, pages 
13-25. Springer- Verlag, 1998. 



254 



David Point cheval 



9. W. Diffie and M. E. Heilman. New Directions in Cryptography. In IEEE Trans- 
actions on Information Theory, volume IT-22, no. 6, pages 644-654, November 
1976. 

10. D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. In Proc. of the 
23rd STOC. ACM Press, 1991. 

11. T. El Gamal. A Public Key Cryptosystem and a Signature Scheme Based on 
Discrete Logarithms. In IEEE Transactions on Information Theory, volume IT- 
31, no. 4, pages 469-472, July 1985. 

12. S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and 
System Sciences, 28:270-299, 1984. 

13. J. Hastad. Solving Simultaneous Modular Equations of Low Degree. SIAM Journal 
of Computing, 17:336-341, 1988. 

14. SET Secure Electronic Transaction LLC. SET Secure Electronic Transaction 
Specification - Book 3: Formal Protocol Definition, may 1997. Available from 
http: //www. setco . org/. 

15. D. Naccache and J. Stern. A New Cryptosystem based on Higher Residues. In 
Proc. of the 5th CCCS, pages 59-66. ACM press, 1998. 

16. M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen 
Ciphertext Attacks. In Proc. of the 22nd STOC, pages 427-437. ACM Press, 1990. 

17. T. Okamoto and S. Uchiyama. A New Public Key Cryptosystem as Secure as 
Factoring. In Eurocrypt ’98, LNCS 1403, pages 308-318. Springer- Verlag, 1998. 

18. P. Paillier. Public-Key Cryptosystems Based on Discrete Logarithms Residues. In 
Eurocrypt ’99, LNCS 1592, pages 221-236. Springer- Verlag, 1999. 

19. C. Rackoff and D. R. Simon. Non-Interactive Zero-Knowledge Proof of Knowledge 
and Chosen Ciphertext Attack. In Crypto ’91, LNCS 576, pages 433-444. Springer- 
Verlag, 1992. 

20. R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures 
and Public Key Cryptosystems. Communications of the ACM, 21(2):120-126, 
February 1978. 

21. RSA Data Security, Inc. Public Key Cryptography Standards - PKCS. Available 
from http://www.rsa. com/rsalabs/pubs/PKCS/. 

22. V. Strassen. The Computational Complexity of Continued Fractions. SIAM Jour- 
nal of Computing, 12(l):l-27, 1983. 

23. Y. Tsiounis and M. Yung. On the Security of El Gamal based Encryption. In PKC 
’98, LNCS. Springer- Verlag, 1998. 




Resistance Against General Iterated Attacks 



Serge Vaudenay 

Ecole Normale Superieure — CNRS 
Serge . VaudenaySens . fr 



Abstract. In this paper we study the resistance of a block cipher against 
a class of general attacks which we call “iterated attacks”. This class 
includes some elementary versions of differential and linear cryptanalysis. 
We prove that we can upper bound the complexity of the attack by using 
decorrelation techniques. Our main theorem enables to prove the security 
against these attacks (in our model) of some recently proposed block 
ciphers COCONUT98 and PEANUT98, as well as the AES candidate 
DEC. We outline that decorrelation to the order 2d is required for proving 
security against iterated attacks of order d. 



1 Introduction 

Since public-key cryptography has been discovered in the late 70s, proving the 
security of cryptographic protocols has been a challenging problem. Recently, 
the random oracle model |2j and the generic algorithm techniques m have 
introduced new tools for validating cryptographic algorithms. Although much 
older, the area of symmetric cryptography did not get so many tools. 

In the early 90s, Biham and Shamir |2j introduced the notion of differential 
cryptanalysis and Matsui PITTH introduced the notion of linear cryptanalysis, 
which was a quite general model of attacks. Since then many authors tried to 
formalize these attacks and study their complexity in order to prove the security 
of block ciphers against it. Earlier work, initiated by Nyberg m was based on 
algebraic techniques. 

Recently, Carter- Wegman’s combinatoric notion of “universal functions” 
has been adapted in context with encryption and the notion of “decorrelation 
bias” has been formalized PBUZ]. Measurement of the decorrelation {e.g. by 
the decorrelation bias) enables to quantify the security of block ciphers against 
several classes of attacks. In m, several real-life block cipher prototypes 
have been proposed, namely COCONUT98 and PEANUT98. Their decorrelation 
bias have been measured, and the security against basic versions of differential 
and linear cryptanalysis (as formalized in the present paper) has been formally 
proved. Similarly, [Z1 submitted the DEC candidate to the AES process. 

In this paper, we generalize these results in a uniform approach. We introduce 
the notion of “iterated attack of order d” and we prove how the decorrelation bias 
can measure the security against any of it. Differential and linear cryptanalysis 
happen to be included in this class of attacks (differential attacks have an order 
of 2, and linear attacks have an order of 1). In particular we prove the security of 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 255- I77T1 1999. 
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the above mentioned block ciphers against any iterated known plaintext attack 
of order iQ 

This paper is organized as follows. First we recall the previous results in 
decorrelation theory which are interesting for our purpose in Section El Our 
contribution starts in Section 0 We define the class of iterated attack of given 
order. We prove by a counterexample that decorrelation of order d is not sufficient 
to thwart all iterated attacks of order d. We then show how decorrelation of order 
2d gives an upper bound on the efficiency of any iterated attacks of order d. We 
show how to use this result for a practical block cipher (namely, PEANUT98 or 
DFC). Finally, in Section 0 we investigate how to use the same techniques for 
combining several cryptanalysis all together and Section0investigates extensions 
of iterated attacks. 



2 Previous Work 



2.1 Provable Security for Block Ciphers 



The notion of “provable security” is often used in public key cryptography. The 
area of symmetric encryption has seldom results on provable security, and with 
rare link with each other. 

First of all. Shannon’s approach P3] (1949) formalizes the notion of “per- 
fect secrecy” . It proves the security of Vernam’s cipher Pnj (also known as the 
“one-time-pad”). The drawback is that the key must be at least as long as the 
plaintext, used only once, and perfectly random (i.e. chosen with an unbiased 
uniform distribution) . 

The Wegman-Carter m (1981) approach enables to construct “provably se- 
cure” Message Authentication Code (MAC) algorithms by combining the notion 
of universal function 0 and Vernam’s cipher. It has several refinements (see for 
instance EEI). 

The Luby-Rackoff approach ini (1988) uses the model of distinguishability 
(which was well known in the area of pseudorandomness, see |B|), also known 
as Turing’s test, for proving that a random Feistel cipher |0| over messages 
of m bits is provably secure if we use it less than 2 t times. This has many 
refinements {e.g. see [f2iSI‘2!ll,'-il )l I / Pi'ZI.'lTj 1 . It relies the security of the cipher on 
the pseudorandomness of the round function, which is indeed hard to achieve 
(because of the key length) for real-life ciphers. We can for instance mention 
Knudsen’s recent DEAL AES candidate m which is based on this construction. 
Here the “provable” security of DEAL relies on the assumption that DES 0 
defines a family of random functions. Although this assumption does not make 
much sense, this provides a piece of security prooffl 



^ Iterated attacks of order 1 do not include differential attacks, but the security against 
differential attacks is proven by other approaches as detailed below. 

^ So far, we are not aware about any result which would formally prove that DEAL is 
significantly more secure than DES. 
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Biham and Shamir’s attacks P| gave a new breath to the area of symmetric 
encryption. 

First of all, Lai-Massey’s notion of Markov cipher (1990) enables 

to formalize the complexity of differential cryptanalysis under the hypothesis of 
stochastic equivalence which assumes that all keys behave as for the average. An 
alternate approach due to Nyberg makes links with some non-linear 

properties of the internal substitution boxes of the ciphers. 

Finally, the Nyberg-Knudsen construction fMFTl (1992) enables to construct 
block ciphers which are “provably secure” against differential and linear crypt- 
analysis. They also gave some prototype examples of real-life ciphers which hap- 
pened to be weak against more general attacks (see [^). This construction 
has been successfully used by Matsui in the MISTY construction [2n?Tj (1996) 
which has no known attacks so far. 

These independent results have been linked with each other through the 
decorrelation theory (1998). 

These notions of provable security must however be interpreted with great 
care, mostly because it refers to some security results against some kinds of 
attacks and in some sharply formalized model. It does not refer to the intu- 
itive notion of “unbreakability” and must not be blindly trusted. The Jakobsen- 
Knudsen’s attack m against the Nyberg-Knudsen ciphers m illustrates that 
security against some attacks does not provide security against other ones. It 
may also be possible to attack some trusted algorithms (like RSA m) in some 
real-life model (the RSA PKCS^l standard) without mathematically breaking 
the algorithm, as was shown by Bleichenbacher’s attack Some constructions 
which are proposed by the decorrelation theory happen to be vulnerable against 
some more general attacks as wellj^ We thus need to keep this warning in mind 
when dealing with “provable security” . 



2.2 Decorrelation Theory 

In our setup, a block cipher is considered as a random permutation C over a 
message-block space M . . (Here the randomness comes from the random choice of 
the secret key.) The efficiency of a cryptanalysis can be measured by the average 
complexity of the algorithm over the distribution of the permutation {i.e. of the 
secret key). 

Definition 1. Given a random function F from a given set A4i to a given set 
M 2 and an integer d, we define the “d-wise distribution matrix” [F]‘^ of F as a 
Mfx M 2 -niatrix where the {x,y)-entry of[F]'^ corresponding to the multi-points 
X = {xi , . . . , Xd) G Mf and y = {yi, . . . , yd) G M^ is defined as the probability 
that we have F{xi) = yi for i = 1, . . . ,d. 

® Wagner m recently broke the COCONUT98 cipher by a “boomerang attack” which 
is a kind of intermediate attack approach between differential and higher differential 
attacks. 
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Basically, each row of the d-wise distribution matrix corresponds to the distri- 
bution of the d-tuple (F(xi), . . . , F{xd)) where {x\, . . . , Xd) corresponds to the 
index of the row. ^ ^ 

In this paper, we consider the following matrix norm over defined 

by 



Pll = max^ 
y 

for any matrix 

Definition 2. Let C he a random permutation over A4. We eall the quantity 
||[C]‘^ — [C*]‘^|| the “d-wise deeorrelation bias of permutation C” and we denote 
it Deep‘d (C), where C* is a uniformly distributed random permutation. 

A decorrelation bias of zero means that for any multi-point x = {xi,... ,Xd) 
the multi-point (C{xi), . . . ,C{xd)) has the same distribution of the multi-point 
(C*(a:i), . . . , C*{xd)), so that C and C* have the same “decorrelation”. Through- 
out the paper, C* denotes a uniformly distributed permutation which serves as 
a reference (which will be called “perfect cipher” ) . We say that its decorrelation 
is “perfect”. For instance, saying that a cipher C on A4 has a perfect pairwise 
decorrelation means that for any Xi X 2 , the random variable {C{xi),C{x 2 )) is 
uniformly distributed among all the (?/i, 2 / 2 ) pairs such that yi ^ y 2 - This notion 
is fairly similar to the notion of universal functions which was been introduced 
by Carter and Wegman |SE2|. 

The matrix norm property {i.e. ||A x B II < PIMI^II) implies 

DecP‘'(C'i o C 2 ) < DecP‘'(Ci).DecP‘'(C' 2 ). 

Thus we can built ciphers with arbitrarily small decorrelation bias by iterating a 
simple cipher as long as its own decorrelation bias is smaller than 1. The security 
results show that when the decorrelation bias is small, then the complexity of 
the attack is high. 

As an example we mention the simple affine cipher defined by C{x) = Ax + B 
where (A,B) Gjj GF(2"*)* x GF(2"*) is a random key. This cipher is perfectly 
decorrelated to the order 2. It is the basic COCONUT cipher pTH] . 

2.3 Security Model 

In the Luby-Rackoff model PI, an attacker is an infinitely powerful Turing 
machine A® which has access to an oracle O. Its aim is to distinguish if the 
oracle implements a cipher C or the Perfect Cipher C* by querying it and with 
a limited number d of inputs. The attacker must finally answer 0 (“reject”) or 1 
(“accept”). We measure the ability to distinguish C from C* by the advantage 
Adv^(C, C*) = \p — p*\ where p (resp. p*) is the probability of answering 1 if O 

^ This norm is the infinity-associated matrix norm and is usually denoted |||.|||oo. 
Other norms have been considered, e.g. in m- 
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implements C (resp. C*). In this paper we focus on non-adaptive attacks i.e. on 
distinguishers illustrated on Fig. ^ here no Xi queried to the oracle depends on 
some previous answers C{Xj). The chosen norm is well suited to this notion of 



Parameter: a complexity n 

Input: an oracle which implements a function c 

1. compute some messages X = {Xi, . . . , Xd) 

2. get Y = (c(Ai), . . . , c{Xd)) from the oracle 

3. depending on X and Y, output 0 or 1 



Fig. 1. A Generic d-Limited Non-Adaptive Distinguisher. 



non-adaptive attack as shown by the following result (taken from [3til,'-i7j 1 . 

Theorem 3. Let d be an integer. Let C be a cipher. The best d-limited non- 
adaptive distinguisher A for C is such that 

Adv^(C,C*) = iDecP‘'(C). 

Thus the decorrelation bias for the 1 1 . 1 1 norm expresses the best possible advan- 
tage for a non-adaptive attack. 

For instance, if C is the basic COCONUT cipher and d = 2, then the advan- 
tage of any non-adaptive attack which is limited to 2 queries is zero: this cipher 
is perfectly secure when used only twice (as one-time pad m is perfectly secure 
when used only once). 

2.4 Differential and Linear Cryptanalysis 

In this section we assume that A4 = GF(2"*). The inner dot product a • 6 in 
GF(2"*) is the parity of the bitwise AND of a and b. 

We formalize the basic notion of differential (resp. linear) cryptanalysis by 
the distinguisher which is characterized by a pair (a, b) G (and which is 
called a “characteristic”) and which is depicted on Fig. 0 (resp. Fig. EJ- Linear 
cryptanalysis also needs an “acceptance set” B. 

These formalizations are somewhat different from the original ones. We claim 
that they are straightforward adaptations of the original attacks in the Luby- 
Rackoff model. Actually, the Biham-Shamir’s original 3R, 2R and IR attacks Pj 
can be considered as implicitly starting with the attack which is depicted on 
Fig. 0 against the same cipher with 3, 2 or 1 less round. One of the technical 
problems of differential cryptanalysis is that we do not have access to the explicit 
output of the oracle so we have to filter the outputs and isolate “good pairs” 
from “wrong pairs” . The (theoretical) differential distinguisher against a cipher 
diminished by i rounds is thus more efficient than Biham-Shamir’s IR basic 
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Parameters: a complexity n, a characteristic (a, b) 

Input: an oracle which implements a function c 

1. for i from 1 to n do 

(a) pick uniformly a random X and query for c{X) and c{X + a) 

(b) if c{X + a) = c{X) + b, stop and output 1 



2. output 0 



Fig. 2. Differential Distinguisher. 



Parameters: a complexity n, a characteristic (a,b), an acceptance set B 
Input: an oracle which implements a function c 

1. initialize the counter value u to zero 

2. for i from 1 to n do 

(a) pick a random X with a uniform distribution and query for c[X) 

(b) if X • a = c{X) ■ b, increment the counter u 

3. if u G B, output 1, otherwise output 0 



Fig. 3. Linear Distinguisher. 



attack, therefore a lower bound on the complexity of differential distinguishers 
leads to a lower bound on the complexity on these original attacks^ Similarly, 
Fig. □ is the heart of Matsui’s original attack against DES when c is DES 
reduced to 14 rounds. 

It has been shown (see |36I37| 1 that for any differential distinguisher we have 

AdvpigigC, C*) < + |Decp2(C). (1) 

(In particular, the probability of the differential characteristic which usually 
introduces a dependency on the key in formal expressions is completely replaced 
by DecP^(C): the complexity analysis of the attack on average on the key uses 
only the decorrelation bias and does not rely on any unproven assumption such as 
the hypothesis of stochastic equivalence H) Similarly for any linear distinguisher 
we have 



lim 

I— ^ + oo 






< 9.3 



1 



2m _ 1 



2DecP^(C) 



(2) 



® We outline that further versions and extensions of differential cryptanalysis use more 
tricks and escape from this model. This is why we refer to the “original” differential 
cryptanalysis. 

® This does not mean that no “weak keys” exist, which is wrong in general (DFC 
happens to have weak keys as shown by Coppersmith). This shows that the attack 
does not work on average, which implies that the fraction of weak keys is negligible 
against the average case (indeed, weak keys of DFC consist in a fraction of 2“^^®). 



Resistance Against General Iterated Attacks 261 



Therefore the decorrelation bias to the order 2 leads to upper bounds on the 
best advantages of both differential and linear attacks. 



2.5 Some Constructions 



In 1^, two real-life block ciphers (called COCONUT98 and PEANUT98) have 
been proposed. They come from the general family constructions COCONUT 
and PEANUT. 

A cipher in the COCONUT family is characterized by some parameters (to, p) 
where m is the message-block length and p is an irreducible polynomial of degree 
TO in GF(2). The COCONUT98 Cipher corresponds to the parameters to = 64 
and p = + + x^ + X + 1. From the construction, any of COCONUT ciphers 

has a perfect pairwise decorrelation. Therefore from Equations {ID and {1 no 
differential or linear distinguisher (as formalized on Fig. |5|and|3) can be efficient. 

A cipher in the PEANUT family has some parameters (to, r, d,p). Here to is 
the message-block length, r is the number of rounds (actually, a PEANUT cipher 
is an r-round Feistel cipher 0), d is the order of constructed decorrelation, and 
p is a prime number greater than 2~ . The PEANUT98 Cipher corresponds to 
TO = 64, r = 9, d = 2 and p — 2^^ -|- 15. It has been shown that the d-wise 
decorrelation bias of this function has an upper bound which is equal to 



(^(l + 2(p‘'2-^-l))" 




This bound is well approximated by 



( 3 ) 



where p = 2^(1 -|- <5). Hence for the PEANUT98 Cipher we have DecP^(C) < 
2-76^ The AES DEC candidate is also in the PEANUT family with parameters 
TO = 128, r = 8, d = 2 and p = 2®^ -|- 13. Therefore DecP^(C) < 2~^^^ for it 
(even if we remove two rounds) . Equations Q and m show that differential and 
linear distinguishers must have a high complexity against both ciphers. 



2.6 Several Aspect of the Decorrelation Theory 

The approach of the decorrelation theory consists of four important steps. 

1. Defining the distance between [CY and [C*^. We have seen that we can 
use matrix norms. This paper uses the |||.|||oo norm. Some other norms 
can be considered such as the Euclidean L 2 norm as detailed in j2H|- The 
original concept of universal functions deals with the infinity norm (defined 
as the maximum of all entries). The choice of the distance is very important, 
because some norms seem to provide better complexity lower bounds than 
others. 
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2. Constructing simple toy random function (which we call “decorrelation mod- 

ules”) with low decorrelation bias. For instance, the PEANUT construction 
of shows how the decorrelation of the Ax + B mod p mod 2 2 ran- 
dom function (when (A,B) {0, 1}"*) for a prime p greater than 2 2 has 

a decorrelation bias which is less than 2{p'^2~^ — 1) for d = 2 which is 
approximately AS for p = 2^ (1 + S). 

3. Constructing decorrelated ciphers: proving how the decorrelation bias of the 
decorrelation modules can be inherited by a larger structure. For instance, 
the PEANUT construction shows how the decorrelation of the previous prim- 
itive is inherited by a Feistel network which uses it as a round function. 
(Which leads to the bound of Equation Q.) 

4. Considering classes of attacks and proving how the decorrelation bias of the 
cipher makes a lower bound for the complexity of the attack. For instance, 
proving how the decorrelation to the order 2 provides security against the 
class of differential or linear attacks. 

The present paper deals with the fourth step only. 

3 Iterated Attacks of Order d 

In this section we introduce the notion of “iterated attack” . 

3.1 Definition 

Equations o and m suggest that we try to generalize them to a model of iter- 
ated attacks. Intuitively, this is an attack in which we iterate (independently) n 
times an elementary distinguisher which is limited to d queries. After performing 
one elementary distinguisher we get only one bit of information (we will extend 
this model for more bits in Section 0 but the results of Section |3 and 01 are 
only applicable with this limitation of one bit). We focus here on non-adaptive 
attacks. 

Definition 4. Let n and d be some integers and M. he a set. A non-adaptive 
“iterated distinguisher of order d and complexity n ” for a permutation on M is 
defined by 

— a distribution T> on AT^ (a “plaintext distribution”), 

— a function T from to [0,1] (a “test function” ) , 

— a function A from {{),!}'“' to [0,1] (an “acceptance function” ) . 

The distinguisher runs as illustrated on Fig. ^ 

Obviously differential and linear distinguishers as formalized on Fig. E] and 0 are 
particular cases of iterated attacks (of order 2 and 1 respectively). Namely, if 
d = 2, if the distribution V is the distribution of (A, X -\- a) where X has a 
uniform distribution, if T{{x\,X 2 ), ( 2 / 1 , 2 / 2 )) is defined to be 1 if 2/2 = 2 /i +d and 0 
otherwise, and finally if A{ti, . . . , f„) is defined to be the product of all Us, then 
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we get a differential distinguisher with characteristic (a, b). Similarly, if d = 1 , if 
T> is uniform, if T(a:, y) is defined to be 1 if a- a; = 6-?/ and 0 otherwise and finally 
if A{ti, . . . ,tn) is defined to be 1 if the sum of all tiS is in B and 0 otherwise, 
then we get a linear distinguisher with characteristic (a, b) and acceptance set B. 
Iterated attacks of order at most 2 are therefore more general than differential 
and linear attacks. 



Parameters: a complexity n, a plaintext distribution T>, a test function T, an 
acceptance function A 

Input: an oracle which implements a function c 

1. for i from 1 to n do 

(a) pick a random X = (Ai, . . . , Xd) with distribution T> 

(b) get Y = (c(Ai), . . . ,c{Xd)) from the oracle c 

(c) pick a random Ti € {0, 1} with an expected value of T(X, Y) 

2. randomly output 0 or 1 with an expected value of A{T\, . . . ,Tn) 



Fig. 4. Non- Adaptive Iterated Attack of Order d. 



When T> is the uniform distribution, we will refer to “known plaintext iterated 
attacks” . 



3.2 A Counterexample 



It is tempting to believe that a cipher resists to this model of attacks once 
it has a small d-wise decorrelation bias. This is wrong as the following exam- 
ple shows with d = 2 . Let C be the simple Ax + B cipher over GF(g) where 
(A,B) G[7 GF((7)* X GF(g). It has a perfect pairwise decorrelation. Obviously, 
any ((xi, X2), (yi, 2/2)) sample with xi ^ xi and such that y\ = C(xi) and 
2/2 = C{x2) enables to get (A,B) as a function f{xi,X2,yi,y2)- Let D he a, 
subset of distinguished values of GF((/)* x GF((/) with a given cardinality de- 
noted q{q—l)/ II. We use the uniform distribution of all (Ai, A2) pairs such that 
Ai 7^ A2 as the plaintext distribution. We define 



T{{xi,X2),{yi,y2)) 



1 if f{xi,X2,yi,y2) e D 
0 otherwise 



and 



A(G, . . . ,t„) 



lif (G,... ,t„)7^(0,... ,0) 
0 otherwise 



The trick is that all iterations will provide the same answer for C but a random 
one for C* . For the corresponding iterated attack we thus have p = 1 / 11 and 
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For n = 2 (two iterations only) we have an advantage of ^ thus we can 

have a quite large \p — p*\ although C is perfectly pairwise decorrelated, and 
that we have an iterated attack of order 2. The trick comes from the fact that 
the test T provides a same expected result for C and C* but a totally different 
standard deviation, which is avoided by decorrelation to the order 2d = 4 as 
shown in the next section. 

This counterexample shows that decorrelation of order d is not sufficient in 
general to prove the security against iterated attacks of order d. In some special 
cases (as for differential attacks) it may however be sufficient. In the next section 
we show that decorrelation of order 2d is sufficient. 



3.3 Security Result 

We can however prove the security when the cipher has a good decorrelation to 
the order 2d. 



Theorem 5. Let C he a cipher on a message space A4 of size M such that 
DecP^'^(C) < e for some given d. For any non-adaptive iterated attack of order 
d and complexity n which uses a distribution T> (see Fig. we have 



Advpigg(C,C*) < 3 




M{M - d) 




ne 

Y 



where 6 is the probability that for two independent random X and X' with dis- 
tribution T> there exists i and j such that Xi = X'j. 

In the particular case where T> is the uniform distribution (he. if we have a 
known plaintext iterated attack), we have 6 < jj so 



AdvFiggC,C*)<3 




M(M - d) 




ne 

Y' 



This result shows that with a low decorrelation bias e we need 



n = I7(min(e ‘^,Ym)) 



in order to get a significant advantage unless the distribution T> has some special 
property. For known plaintext attacks, the attacker cannot choose this distribu- 
tion so this results is meaningful. For other attacks we can wonder what happens 
if the attacker choose a clever distribution. We believe that the present result 
can be improved in further work. Actually, if the distribution is such that Xi is 
always the same query we get the worse case because d = 1. Having the same 
query to the oracle is however a strange way for attacking it and we believe that 
this strategy does not provide any advantage Q 

^ We did not state a theorem in term of known plaintext attack only in order to 
stimulate further research in this way. 
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If we apply this Theorem to linear cryptanalysis (d = 1 and 6 = -p) we 
obtain 



Adv^,^^C,C*) < 3 




1 

M{M - d) 




ne 

Y' 



This result is weaker than Equation Q. Similarly, in order to apply it to dif- 
ferential distinguisher {d = 2 and S < we need decorrelation to the order 4 
although Equation (P) needs decorrelation to the order 2 only. This is the cost 
of more general results! 

Proof. Let Z (resp. Z*) be the probability over the distribution of X that the 
test accepts {X,C{X)) (resp. (X, C*(X))), i.e. 



Z = Ex{T{X,C{X))). 



{Z depends on C.) Let p (resp. p*) be the probability that the attack accepts, 
i.e. 



P = Ec{A{T,,... ,T^)). 

Since the T^s are independent and with the same expected value Z which only 
depends on C, we have 



p = Ec\ Z^Ati+.-.+tr.) 



We thus have p = E{f{Z)) where f{z) is a polynomial of degree at most n with 
values in [0,1] for any z G [0,1] entries and with the form f{z) = ^aiZ®(l — 
z)"“L It is straightforward that ]/^(z)l < ri for any z S [0,1]. Thus we have 
\kz) - f{z*)\ < n\z - z*]. 

The crucial point in the proof is in proving that \Z — Z*\ is small within a 
high probability. For this, we need \E{Z) — E{Z*)\ and \V{Z) — V{Z*)\ to be 
both small. 

From Theorem 0 we know that \E{Z) — E{Z*)\ < We note that Z'^ corre- 
sponds to a another test but with 2d entries, hence we have \E{Z‘^) — E{{Z*Y)\ ^ 
|. Hence \V{Z) — V{Z*)\ < |e. Now from Tchebichev’s Inequality we have 

Vr[\Z-E{Z)\>\]<^. 



Hence we have 



Pr 



\Z-Z*\ > 



2A 



< 



2V(Z*) + le 



\P-P*\ < 



2V{Z*) 

A2 




thus 
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^ 2V{zn+h '^ " 



we have 



b-p*| <3 2V{Z*) + 



so, with A = 



The variance V(Z*) is expressed by 

Pi'[2:,x]r(a:,?/)r(a;',y) ("pr 



3e 



ne 

Y' 



x' ,y' 



x^y 

x'^y' 



- ^ y] Pj'N' ^ 



which is maximal when T(x,y) is 0 or 1 by linear programming results. Thus 






2 ^ X ^ ^ X ' 



Pr 

c* 



x->y 

x'^v' 



-Pr[a;^y] Pr[a;' ^ y'] 



The sum over all x and x' entries with colliding entries {i.e. with some Xi = x'^) 
is less than 5. The sum over all y and y' entries with colliding entries and no 
colliding x and x' is less than cP/2M. The sum over all no colliding x and x' 
and no colliding y and y' is less than 

1 - (5 / M (M - 1) ... (M - 2d + 1) A 
2 V ~ M2(M-l)2...(M-d+l)2 ) 

which is less than 2 (M-d) ■ T^us we have V{Z*) < <5 + ^ + 2 {M-d) ^l^ich is 
equal to 5+ 2 M{M-d) ■ ° 



3.4 Applications 

PEANUT98 is a 9-round Feistel Cipher for message-blocks of size 64 which 
has been proposed in m with a constructed pairwise decorrelation such that 
DecP^(PEANUT98) < 2“^® as shown in Section ri.fit From Equation o we 
know that no differential distinguisher with a number of chosen plaintext pairs 
less than 2^® will have an advantage greater than 50%. From Equation ^ we 
know that no linear distinguisher with a number of known plaintext less than 
2®2 will have an advantage greater than 50%. Now from Theorem 0 we know 
that no known plaintext iterated attack of order 1 {e.g. linear attacks) with a 
number of known plaintext less than 2^^ will have an advantage greater than 
50%. For linear cryptanalysis, this result is weaker than Equation 0, but more 
general. 

Similarly, DEC is immune against any known plaintext iterated attack of 
order 1 with a number of known plaintext less than 2®^ in the sense that the 
advantage of these attacks will always be less than 50%. 

All these results are applicable to the COCONUT98 Cipher as well since its 
pairwise decorrelation bias is even smaller (it is actually zero). 

The threshold of 50% is arbitrary here. If we have an attack with low ad- 
vantage a, we intuitively want to iterate it at least 1/a times in order to get a 
significant success rate. The complexity is therefore increased accordingly. We 
thus adopted this symbolic threshold of 50%. 
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4 On Combining Several Attacks 

When several (inefficient) attacks hold against a cipher C, it is natural to wonder 
whether or not we can combine their effort in order to get an efficient attack. This 
situation is formalized by changing a few things on Fig. 0 and we can rewrite 
Theorem El in this setting. Firstly, the test in each iteration can be changed. 
Secondly, n must be considered as relatively small, and d as relatively large: 
we use a few attacks (n) which have no real limitations (d) on the number of 
queries. This situation is different from the previous one where we used many 
attacks (many times the same one actually) of limited order d. For this reason 
and since we want n to express the complexity we rewrite d into for the ith 
attack and n into r. The resulting model is illustrated on Fig. El 



Parameters: several attacks Ai , . . . ,Ar, an acceptance function A 
Input: an oracle which implements a function c 

1. for i from 1 to r do in parallel 

(a) perform the attack Ai against c 

(b) set Ti to the result of the attack 

2. randomly output 0 or 1 with an expected value of A{T \, ... ,Tn) 



Fig. 5. Combined Attack. 



Theorem 6. Let C he a cipher on a message space A4 of size M . Let Ai , . . . , Ar 
be r attacks on C with advantages Advyi^ , . . . , Adv_ 4 ^ respectively. For each i, we 
let Ui denote the number of queries from Ai and we let Af denotes the following 
attack. 

Input: an oracle which implements a cipher c 

1. perform the attack Ai and set a to the result 

2. perform the attack Ai and set b to the result 

3. if a = b = 1 output 1 otherwise output 0 

We let Adv ^2 denote its advantage, and 6i denote the probability that the two Ai 
attack executions query c with one input in common. For any combined attack 
(depicted on Fig.\^ with independent attacks, Advpj^j^C, (7*) is less than 

(Adv^. + 3 (^2<5, + ^ + + 2Adv^. + Adv ^2 j 

For instance, when the attacks are known plaintext attacks with a plaintext 

2 

source with uniform distribution, we have 5i < 

This result does not depend on the decorrelation of the cipher but only 
upper bound what we can best achieve when combining several attacks. The 
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occurrence of is a little frustrating but is necessary. Section ing is actually a 
counterexample in which some attack A is totally inefficient (with an advantage 
of 0) but with a quite high Adv^ 2 . 

Proof. As for the proof of Theorem El the advantage can be written 

AdvFig|5|(C, C*) = \E{f{Z,, ...,Zr)~ f{Zl . . . , Zm 

for a polynomial f{x\, . . . ,Xr) of partial degrees at most 1 and with values in 
[0, 1] whenever all entries are in [0, 1]. All partial derivatives . . . ,Xr) are 

in [—1,1], so we have 

r 

AdvFig|5|(C,C*)<^A(|^,-Z*|). 

We have \E{Zi — Z*)\ = Adv^^ and \E{Zf — (Z*)^)| = Adv_ 42 . So, as in the 
proof of Theorem 0, we obtain 

^ / i 

AdvFig|g(C, C*) < ^ ( Adv^. + 3 (2V{Z:) + 2Adv^. + Adv^j) " 
and finally V{Z*) <5i+^+ 2 M(M-d) ■ ° 



5 Generalization 



We can even generalize Theorem0in the case where the iterations of the attack 
produce an information Ti which is not necessarily binary. We outline that if the 
size of Ti is unlimited, then there is no possible result because the attack has 
unlimited computation power and it would be able to perform exhaustive search 
with all information from the queries. 

Theorem 7. Let C be a cipher on a message space of size M such that we have 
DecP^'^(C) < e for some given d. For any non-adaptive iterated attack of order 
d and complexity n which uses a distribution T> (see Fig. w and where we allow 
the Ti to be in the set {1, ... , s}, we have 







M{M - d) 




nse 



where 6 is the probability that for two independent random X and X' with dis- 
tribution T> there exists i and j such that Xi = X(. 

Proof. In the proof of TheoremEl f{Z) is replaced by a polynomial /(Zi , . . . ,Zg) 
in term of Zj = Pr[Ti = j] for j = 1, . . . , s. For two distributions (zi, . . . , Zg) 
and (zj, . . . , z*), we have 



|/(zi,. . . ,Zg) - f{z(,... ,zj)| < |z* - z*|. 

2=1 
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As in the previous proof we have 

2V(Z*) + |e 
A2 

for any A and V(Z*) < S + + 2 M(M-d) ■ Hence the situation simply consists 

in multiplying the lower bound by s. □ 

6 Conclusion 

We showed how to unify differential and linear distinguishers in a general no- 
tion of iterated attack. We then proved that decorrelation enables to quantify 
the security against any iterated attack. This result happened to be applicable 
to a real life block cipher. Our result are however not so tight because of the 
use of Tchebichev’s Inequality, and it is still an open problem to improve the 
complexity upper bounds (with Chernov’s bounds?). We encourage researches 
in this direction. 



Pr 



\Z^-Z*\ > 



2A 
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Abstract. Differential cryptanalysis is a well-known attack on iterated 
ciphers whose success is determined by the probability of predicting se- 
quences of differences from one round of the cipher to the next. The 
notion of difference is typically defined with respect to the group opera- 
tion(s) used to combine the subkey in the round function F. For a given 
round operation tt of F, such as an S'-box, let DP^{-w) denote the prob- 
ability of the most likely non-trivial difference for tt when differences are 
defined with respect to In this paper we investigate how the distri- 
bution of DP^iji) varies as the group operation ® is varied when tt is 
a uniformly selected permutation. We prove that DP^ (tt) is maximised 
with high probability when differences are defined with respect to XOR. 



1 Introduction 

Differential cryptanalysis (DC) is a well-known chosen-plaintext attack based on 
predicting how certain changes or differences in the plaintext propagate through 
a cipher. DC was well publicized by Biham and Shamir P] as a tool for the crypt- 
analysis of DES-like ciphers. Biham and Shamir defined the difference A(X, X*) 
between two n-bit blocks X,X* by A{X,X*) = AT 0 X* where © denotes the 
bit-wise exclusive-OR (XOR) operation. To extend the application of DC to 
other ciphers Lai, Massey and Murphy m adapted the definition of differences 
to A(X, A*) = A© (A*)“^, where © is an Abelian group operation and (A*)“^ 
is the group inverse of A*. The choice of difference used to analyse a cipher is 
usually selected so that the subkey .Z is cancelled by the difference operator: 

Zi(A,A*) = Z\((A©Z),(A*©©)) = A©(A*)-i. (1) 

Consequently, the choice of operation used to define differences is typically de- 
fined by the group operations(s) used to combine the key into the cipher. Com- 
monly used group operations include XOR (Z 2 , ©), modular addition (Z 2 ", E ), 
and modular multiplication (Z^n+i,©), where (2" + 1) is prime. In general the 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 272- Tmi 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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n 


4 


5 


6 


7 


8 


av. max. El 


0.2771 


0.1617 


0.0919 


0.0515 


0.0284 


av. max. © 


0.2764 


- 


- 


- 


0.0283 


av. max. © 


0.4186 


0.2487 


0.1426 


0.0806 


0.0443 



Table 1. The average maximum probability for differential approximations 
to randomly selected bijections tt : Z 2 defined for the operations 

<8> G { H , 0, ©}, where 4 < n < 8. Note that differences for 0 are only de- 
fined for n when 2” 0 1 is prime. 



inputs x\, X 2 to © in a cipher will be elements of Z 2 rather than Z 2 n_|_i, and when 
evaluating X\ © X 2 we first map Xi to 2” if Xi is zero; also x\ © X 2 is mapped to 
zero if it is equal to 2”. 

The purpose of this paper is to examine how the probability of differential 
approximations for permutations tt vary as the group operation ® used to define 
differences is varied. The study of permutations can be justified on two grounds. 
First, many blocks ciphers make use of permutations: in some cases these permu- 
tations are ‘small’, often referred to as 5-boxes if implemented as tables, such as 
in SAFER K-64 [HI, TWOFISH EH, CRYPTON [1^, E2 |T2| and Rijndael 0 
(all use 8-bit permutations), while other ciphers use larger permutations such as 
IDEA j1 (subkey multiplication is equivalent to a 16-bit permutation look-up) 
and DFC [ 7 ] (64-bit permutation). The second reason to study permutations is 
that a block cipher implements a permutation tt for any fixed key, and the ci- 
pher itself then represents a family of permutations. By studying the properties 
of permutations we can examine how, for example, permutations generated by 
an iterative block structure differ from truly random permutations. 

Our research was initially motivated by the results presented in Table Q 
which shows the average maximum differential approximation to several thou- 
sand n-bit permutations, 4 < n < 8, with respect to the group operations ©, H 
and ©. In all cases DP/^in) was maximised for XOR differences. For example, 
the column for n = 8 indicates that the best approximation for 8-bit mappings 
with respect to © € {©, H } will have a probability between 7/256 and 8/256, 
while the corresponding probability for XOR differences was between 10/256 
and 12/256. Experiments also showed that XOR differences yielded higher prob- 
ability differentials for the 5-boxes of DES than differences with respect to E . 
While this phenomenon is quite likely to be known by some researcher^ this is 
the first paper which analyses it mathematically. 

We first present our main results and then discuss their implications. We 
will consider all abelian groups of order 2”, and to this end, let (Z 2 , ©) be an 
abelian group of order 2" with identity element I. For a,(3 G ^2 \ an 

n-bit permutation tt we define 



^ For example, this observation was stated by M. Dichtl during a seminar presented 
at Isaac Newton Institute, 1996. 
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n 


8 


16 


32 


64 


128 


256 


512 


1024 


Bn 


4.6 


7.2 


11.7 


20.8 


34.3 


60.4 


108.1 


195.6 


2- \Bn] 


10 


16 


24 


42 


70 


122 


218 


392 



Table 2. The values of Bn = IniV^/lnln N = (2" — 1) for several n. 



DP^{n,a,(3) = ^- ^ [ Z\(7t(X), = /?} ] 

X,X* 

A(X,X*) = a 

where [•] is a predicate that evaluates to 0 or 1. Thus DP,^{Tr,a, P) is the 
probability that an input difference of a leads to an output difference of P 
in 7T when differences defined with respect to Further, we define DP^(tt) = 
maxo.^^;^/ DP^^tt, a, P) to be the highest probability difference in tt with respect 
to 0. One of the main results of this paper is to prove that asymptotically, for 
uniformly selected tt, 

( n In 2 „ „ , , n \ 

® = ®. (4 

Pr ~ 1, ®€{EI,0). (3) 

Equivalently, the fraction of n-bit permutations that do not satisfy the bounds of 
© and © tends to 0 and n increases. Our results concentrate on a comparison 
between (g> = 0 and 0 € { H , ©}, since the latter two group operations are the 
most pertinent to cryptography. The (nln2)/(2”“^ Inn) term in 0 and (|3) is 
derived as an asymptotic estimate of 2i?„/2" where Bn = In ln(ln fV^)) and 
A^ = 2” — 1 is the number of non-trivial differences. For smaller n, 2B„ can be 
used in J3) and (0 , and some relevant values of Bn are given in Table 0 For 8-bit 
permutations the critical value is i?g = 10, meaning that XOR approximations 
are likeljQ to occur with probability at least 10/256 while approximations based 
on 0 G { E ,©} with probability less than 10/256. The general conclusion is 
that it is very likely that selecting a permutation tt at random will yield higher 
probability XOR difference approximations than differences defined with respect 
to the groups H and ©. E| 

The bounds of © and © indicate that with high probability the best DC 
XOR approximation to a 64-bit permutation lies in the interval 2“®^], 

^ We note that the authors of TWOFISH were able to find 8-bit permutations with 
best XOR difference approximation of at most 10/256 in ‘a few tens of hours’ 
EH P-24]. These permutations were composed to form the basis of the S-boxes 
for TWOFISH, where for a majority of the keys the best XOR approximation has 
probability 12/256. 

® We note that it is always possible to pick a ‘cooked’ permutation tt for which XOR 
differences have lower probability than 0 G { IS , ©} differences, such as ti{x) = x®c 
for some group element c. We simply assert that this event is unlikely to happen if 
7T is selected randomly or in some unbiased manner. 
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while for a 128-bit permutation the interval is 2“^^°]. Thus if we assume 

that 48-round DES acts as random 64-bit permutation, the best XOR approx- 
imation will occur with much higher probability than suggested by extending 
the 2-round iterative characteristic used for the DC of 16-round DES. While we 
acknowledge that it may be computationally infeasible to find such a high prob- 
ability characteristic, the bounds of m and © strongly suggest that far more 
probable DC approximations are available than indicated by the round-by-round 
approximation approach based on characteristics. 

We are hesitant to apply our results in general to existing ciphers, say by 
changing 0 operations to S operations and claiming improved security against 
DC. This is certainly not the case for DES 0. We believe that to fully take 
advantage of our results would require the design of a new cipher, and this is not 
the subject of this paper. We hope that our present results will form the basis for 
further research into the most appropriate group operation(s) to be used in the 
design and analysis of block ciphers against DC. We note however that Adams 
P has already used our results to suggest the security of the CAST-256 algo- 
rithm. We also note that in general the designer cannot force the cryptanalyst 
to use differences defined with respect to a given group operation 0 . A case in 
point is a DC of RC5 CH where the natural choice of difference was based on 
E , but differences with respect to 0 were used regardless. On the other hand, 
XOR differences give high probability approximations to the two S'-boxes used 
in SAFER K-64, but the use of other non-XOR operations such as the Pseudo 
Hadamard Transform appears to have successfully thwarted on DC based on 
XOR differences alone. 

It remains now to prove o and O- As a first step we determine that 
the distribution of DP,^{Tr, a, (3), asymptotically follows the Poisson distribution 
Pr [X = t) = e~^ ■ n*/t\, for t > 0. When both group elements a, [3 have order 2, 
the Poisson parameter is /r = 1/2, while it is /r = 1 for any other pair of elements 
with orders both distinct from 2. Note that all elements of (Z 2 — {O}, 0 ) have 
order 2 , while almost all elements of (Z 2 — {/}, 0 ), 0 7 ^ 0 , have order greater 
than 2, which will be shown to cause the higher XOR approximations. Also sim- 
ilar comments apply if a is a difference with respect to 0 i, and /3 is a difference 
with respect to 02 , Such differences have been called a quasi-differentials CHI, 
and naturally arise in the DC of SAFER m which uses both 0 and E to mask 
the inputs and outputs to its S'-boxes. 

The upper bound in 0 is from P) , while given = p Pr(DPg, (tt, a, /3) = 
k), the upper bound in © can be proven directly from 'Pv{DP(^{'k) < f) < 
(1 — X]fc>tE[Tfc]) when Yk = o(2^"). The lower bound in J3) is harder to prove. 
Note that Yk defined above is the expected number of entries in the difference 
table of size k. Our approach is to find a value of k for which E[Yfc] > n and 
Var[Yfc] ~ n, from which it follows via Chebychev’s inequality that an entry 
of size k exists with probability tending to 1 with n. As it turns out, k = Bn 
satisfies these conditions. Even though we work with expectations we note that 
that bounds in m and o are not expectations or for the average case. 
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The paper is set out as follows. In ^ we introduce notation and reduce the 
problem of enumerating 2" • a, (3) to a counting problem on graphs. This 

counting problem is combined with the inclusion-exclusion principle to obtain the 
distribution of probabilities for a differential approximation. The distribution of 
values for individual entries are shown to be asymptotically Poisson in ^ In ^ 
the bound given in and @ are proven. Our conclusions are presented in m 
and several proofs are delegated to the appendix in 

2 An Equivalent Graph Theory Problem 

We let denote the set of n-bit permutations, and write tt to 

denote a uniformly selected n-bit permutation. The problem of determining the 
distribution of DP^{tt) can be considered as an enumeration problem: count the 
number of edge-preserving mappings between two appropriately defined directed 
graphs, given below. Recall that the set of n-bit blocks is denoted Z 2 and can 
represented by the set {0,1,... , 2” — 1}. 

Definition 1. For a group (Z 2 , (8>) of order 2” and a non-trivial (non-identity) 
difference a £ Z 2 there is an associated directed graph Da = (V,Ea), \V\ = 2”, 
where each vertex v € V has a unique label l{v) € Then any group element 
X is uniquely associated with the vertex u £V such that l{u) = X. The directed 
edge set of Da is defined as Ea = {(mw) I = a}, meaning that 

(u,v) is an edge when X = l{u) and v = 1{X*) and A{X,X*) = a. We call Da 
the difference graph of a with respect to 0. □ 

As a result of the group property, every vertex of Da and has indegree 
and outdegree one. Consequently, the arcs of Da and Dp form cycles. Further, 
Da consists of labeled disjoint cycles of length ord a, which follows from 
Lagrange’s Theorem since the cycles correspond to cosets. Let Da = (R, Ea) and 
Dp = (V, Ep) be the difference directed graphs representing any two differences 
a,/3 G 7j2. For a permutation tt G we define 

d<^^-^{Da,Dp) = ff{{u,v) G Ea I {u*,v*) G Ep, 1 {u*) = tt{1{u)),1{v*) = tt{1{v))} . 

Thus 2” • DP^{n, a, /3) = d®, 7 r(Da, Dp), and this value depends on the number 
of edges mapped between the two distance graphs. 

Example 2. Consider (Z 2 ,El), the group of addition modulo 8. The directed graphs 
Di,D 2 representing the differences A(X,X*) = 1 and A{X,X*) = 2 are shown 
in Figure 0 Notice that the arcs of D\ and D 2 form cycles of length 8 and 4 
respectively, as ord 1 = 8 and ord 2 = 4 with respect to El. Let tt G be 

the permutation (3, 0, 7, 1, 2, 5, 4, 6) where 7t(0) = 3,7t(1) = 0,7t(2) = 7 and so 
on. Then the only arcs of D\ mapped by tt to arcs of D 2 are the arcs labeled by 
(3,2) and (7,6) of Di which are mapped to the arcs labeled by (1,7) and (6,4) 
respectively 0 /ZZ 2 . Consequently DFfffj:, 1,2) = d^T^{Di, D 2 ) = 2. □ 
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Fig. 1. The directed graphs D\ and D 2 representing the two differences 
A{X,X*) = 1 and A{X,X*) = 2 using the 3-bit H operation to define the 
differences. 



Theorem 3. For any Abelian group G and elements a, /3, G G, the probability 
Pr(2” • DP^{TT,a, P) = t) only depends on t, ord G = #G, a = ord a and 
b = ord p. For a = 2'', 6 = 2®, 1 < r < n, 1 < s < n, and 0 < t < 2", define 

Pt{#G,a,b) Pr (2” • DP^{7r,a,p) = t | tt Gfl . (4) 

Our main goal is to show that pt{^G, a,b) asymptotically follows the Poisson 
distribution. To show this we need to consider the the distribution of (element) 
orders in (Z2, 0). In the group (^2,0), all the nonzero elements have order 2, 
and the resulting directed graphs Da consist of 2"“^ cycles of length 2. However, 
in the group there are 2““^ elements of order 2“, 1 < a < n, and the 

identity (0) has order one. For 2" 0 1 prime, the groups (Z2, ©) and (Z2,H) are 
isomorphic, and thus have the same distribution of orders. 

Corollary 4. Let 0 G {H,©}. Then there are 2^““^ pairs of group elements 
a, P for which ord a = ord P = 2“, 1 < a < n, and 2“+**“^ pairs for which 
{ord a, ord /?} = |2“,2^}, 1 < o < 6 < n. 

To bound the value of DP^{tt), we need only determine pt(2^,a,b) for a = 2’', 
6 = 2®, 1 < r < n, 1 < s < n, and 0 < t < 2", and apply Corollary 0 We 
now cast determining pt(2",a, 6) to an enumeration problem in terms of the 
inclusion- exclusion principle (lEP) (see for example Hall jSj). 

Let a and P be elements of (Z2, ©), and let Da = (P, Ea) and Dp = (P, Ep) 
be their respective (difference) graphs. For each edge uv G Ea define as 
Auy = {tT G 77P) I 

(7r(u,), 7r(u)) G F^}, which is the set of permutations tt that 
preserve the edge uv of Da in Dp. Then, by the inclusion-exclusion principle, 
the number of permutations tt that preserve exactly t edges from Da in Dp is 



j-t 



Pt=j2(-^y 



z=0 



t i 






& = E 



yQEiot uv^y 
\y\=k 



n 



( 5 ) 



and it follows that pt(2", a, b) = Pt/(2”!). In the case of XOR differences (© = ©) 
it is known m that 



P2t 



2* • f! • 



(2"-i -t)! 

e^ 



t 



( 6 ) 



278 Philip Hawkes and Luke O’Connor 



In this case we can immediately prove that p2t(2", 2, 2) is asymptotically Poisson 
distributed. 

Lemma 5. If t G o(2"/^) as n — > oo, then 

_ 

P2*(2",2,2) = |Il.(l + 0((t+l)V2")). 

Proof. From m we have that 

P2*(2",2,2) = — . ^ j .2‘.t!.<Z>(2"-i-t) (7) 



where ^>(2""i - t) = (2" - 2t)! • e"i/2 • (I + 0(I/(2" - 2t))). If t G o(V^) then 
it can be shown that 




/on— /on\t 

^p^.(I + 0(tV2"-')) = ^-(l + 0(tV2")), 
(|^)'-(l + 0(iV2”-')), 



as (I + 0(tV2”))^ = 1 + 2 • 0(t72") + 0{t^/2^^) = 1 + 0{P/2^). Substituting 
these approximations into (Q yields the theorem. □ 



In this case determining an exact expression for Pt is assisted by the fact 
that ord a = ord (3 = 2, and the sets Auv are ‘independent’ in the sense that uv 
is the only edge incident on u and v. For a general group operation 0 7^ 0, most 
groups elements a will have ord a > 2, and hence induce a difference graph for 
which there exist sets and v\ = U 2 - Dependence between the A^v 

sets considerably complicates the expressions for Pt . The following expression for 
Pt(2”,2,4) taken from which also gives an involved formula for pt(2”,4,4). 

Lemma 6. For n >2, and 0 < t < 2"“^, 

P.(2“,2,4) = L. y; + 

1=0 ^ 2 



where for 0 < fc < 2" 



Sk 





2ky.. 



( 8 ) 



For general a, 5 > 4 the expression for Sk = (a, b) becomes increasing difficult 

to determine exactly, and we therefore consider an asymptotic approximation. 
We denote 7 t( 3^) = {(rt*,z;*) | l{u*) = Tr(l{u)),l{v*) = Tr(l{v)), (u,v) G 3^}, 
so that we can represent HuveyAuv = {t^ \ Q Ep}. Observe that Sk is 
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defined in terms of preserved edges , but it may be further decomposed into 
terms of preserved vertices . Observe that a set of k edges is incident on at least 
k vertices (a cycle) and at most 2k vertices (disjoint edges). Let p{y) be the 
number of vertices which are incident to the edges of y, where k < p{y) < 2k. 
For k < j < 2k, define 

<^(fco') = XI \{'^\Ay)^Ep}\, 

yQEa,, 

\y\=k, p{y)=3 



such that Sk can be expressed as Sk = ^.s it turns out, Sk ~ 

4>{k, 2k), meaning that Sk is dominated by the term mapping disjoint edges Da 
to edges to disjoint edges in Dfj. In UDI it was proven that for k = o(2”/^), 
cj){k, 2k) = ^ • (1 + o(l)), which leads to the next theorem. 

Theorem 7. Suppose that n > 0, a = 2’', 6 = 2®, 1 < r < n and 2 < s < n. 
Then Sk = ^ ■ + O (fc^/2")) for k S o(2"/^) as n ^ oo. 

The proof of Theorem Q is involved and lengthy, and the reader is referred to m 
for details. It still remains to derive an expression for general pt(2”,a,5) from 
Pt and St- Our results are based on the following adaptation of a theorem by 
Bender (2j. 

Theorem 8. Suppose there is a function A{n) and a value A > 0, such that 

\ ^ 

Sk = A{n) • • (1 + 0{f{k)/g{n))), 

and f{k) S o{g{n)) for 0 < fc < l{n), where l{n) goes to infinity with n. Let 
j = l{n) — t and define f*{t) = /(f + *) ’ A*/*!- If m{n) is a function such 

that l(n) — m(n) goes to infinity with n, then for each t, 0 < t < m(n), 

P, = A(n) . e-^ • ^ • (1 + 0{r{t)/g{n))) . (9) 

By applying this theorem we are able to show that pt(2", a, b) is asymptotically 
Poisson. 

Corollary 9. Provided o > 2 or 6 > 2, and t G o(2”/^/2), 

p,(2-,a,b) = ^-(l + 0((t + l)y2n)). 

Proof. Theorem Q proves that Sk = 2^\jk\ ■ (1 + 0(/c^/2")) for k = o(2"/^). 
Theorem 0 can now be applied with A{n) = 2”!, A = 1, l{n) = o(f2^^'^), f{k) = 
k'^, g{n) = 2", f*(t) = 0{{t + 1)^) and m{n) = o(2”/^). □ 

The main result of this section can now be stated, which we call the asymp- 
totic Poisson approximation (PA) to DP(^(TT,a, (3). 
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Theorem 10. Let (Z 2 , be an Abelian group of order 2" and a, /3 G Z 2 be 
non-trivial differences. If tt Gr and t = o(2"/^) 

Pr (HP 0 ( 7 r, a, (3) = 57 ^) ~ /t! if ord a = ord j3 = 2, 

Pr [DP^{TT,a, (3) = ~ e~^ jt\ otherwise. 

Let E[A], Var[A] = E[X^] - (E[A])2 and cr[A] = ^/Yar[X] denote the 
expectation, variance and standard deviation of the random variable X. It is 
known that if the distribution of values for X is Poisson, then Var[A] = E[A] = 
/r. Then, for example, a little algebraic manipulation reveals that the distribution 
of values for DP(^{'K,a,[3) has E[DP 0 ( 7 r, a, /I)] ^ 1/2” and (r[ZlP|gi( 7 r, a, /3)] ~ 
77 / 2 ", where 77 = -\/2 if ord a = ord (3 = 2 and 77 = 1 otherwise. This indicates that 
the probabilities for a differential approximation AX = a ^ Att{X) = (3 where 
ord a = ord (3 = 2 are distributed -\/2 times as far from 1 /2” as the probabilities 
for other differential approximations. Consequently, differential approximations 
for which ord a = ord (3 = 2 are more likely to have higher probabilities. 

3 Bounding the Maximum Difference Table Entry 

In this section we use the PA to obtain bounds on DP^in) that hold asymp- 
totically with probability one. The distribution of differences with respect to 
0 is approximated using a Poisson distribution with /r = i, as all non-trivial 
elements have order two. The distribution of differences for 0 G { H , ©} is 
approximated using a Poisson distribution with /r = 1, as there is only one pair 
{a, (3) with ord a = ord (3 = 2. We determine the expectation and variance of 
6 *t (0,7r), defined to be 

E E • DP^i^,(3) = t] ( 10 ) 

1 ' a^I /3^I 

which is the fraction input/output differences that map exactly t pairs, 0 < t < 
2 ”. 

Corollary 11. For 7T Gr 772", E[6»2t(0,7r)] ^ e 2 ■ (^)* /t! and E[6*t(0,7r)] ~ 
jt\ uniformly for t = o( 2 "/^) where 0 G { H ,©}. 

This information is sufficient for obtaining upper bounds on DP^ijr) for 0 G 
{ 0 , E ,©}. However, to obtain our lower bound on the maximum entry in 
differences tables with respect to 0 , the variance of 02 t( 0 , 7 r) is required. We 
have not attempted to determine the variance in 0 d 0 , 7 r) for 0 G { E ,0} as 
the counting problem is very complex, and this variance is not required for the 
results of this paper. See for a proof of the next lemma. 

Lemma 12. For tt Gr 772 " and t = o(2"/^) 
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For nontrivial a, /3 define 0 < f < 2" where = 1 if a, (3) = 

2t and = 0 otherwise. It follows that = (2” — 1)^ • 

6 » 2 t(©, 7 t). Note that E[>F(‘)] = (2" - l)^ • E [ 6 » 2 t(©, tt)] ~ (2" - l)^ • e"! • 
for t = o(2"/^). Similarly, 



Var 



tj/it) 



= (2"-l)4.Var[02t(Te,.)] 



( 2 " - 1 )^ 



E[if (*)] . 1 - 



e 2 j 

2‘-t! ■ I 

_ 1 
e 2 



1 - 



e 2 
2‘ -t! 



2* -t! 



( 11 ) 

(12) 

(13) 



drawing on the result of Lemma El Define Bn as Bn = InN^/lnlniV^, where 
N = (2" — 1), and observe that the Poisson approximation 1 Corollary null holds 
for 0 < t < 2Bn since 2Bn = o(2"/^). The next two lemmas are proved using 
the previous variance calculations in the Appendix. 

Lemma 13. If tt Gr 7T("), then Pr (B„/2""i < DP®(7t) < n/2"-i) ~ I. 



Lemma 14. If tt Gr TT^”) , then Pr(DP 0 ( 7 r) < Bn/2‘^ ~ I, where © G 

{E,©}. 

Asymptotically B„ tends to (2n In 2)/ Inn, which when applied to the previous 
two lemmas, determines the bounds given in 0 and O- Statements concerning 
the best differential approximation of a randomly selected permutation can now 
be made. For example, the probability of the best approximation with respect to 
XOR differences is in the range [2“®® ®, 2“®^] for a random 64-bit permutation 
and in the range 2“^^°] for a random 128-bit approximation. The values 

2-58.6 2 - 121.9 g^j.g upper bounds on the probability of approximations 

with respect to O 7 ^ © for random 64-bit and 128-bit permutations respectively. 
Further bounds on the maximum entry can be obtained for difference tables with 
respect to other group operations, and these bounds will rely primarily on the 
fraction of entries in the difference table for which both elements have order 2 . 

Finally, Lemma and Lemma IT^ combine to confirm our initial observation 
that in general XOR differences yield higher probability approximations than 
differences with respect to modular addition and modular multiplication. 

Corollary 15. If tt G/j 7T©\ then Pr {DP^{tt)> DP,^{tt)) ~l,forO G {H,©}. 



4 Conclusion 

We have shown that with high probability, XOR differences yield better differ- 
ential approximations than differences with respect © G { E ,©}. Furthermore, 
we determined asymptotic approximations to the difference distribution of three 
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group operations 0 £ {0, S ,0}, and bound the probability of the most likely 
difference. Further bounds on the maximum entry can be obtained for difference 
tables with respect to other group operations, and these bounds will rely pri- 
marily on the fraction of entries in the difference table for which both elements 
have order 2 . The Poisson approximation ('Corollary mUl can also be applied to 
quasi-differentials and the maximum probability can be similarly bounded. 

We have concentrated on the three groups defined by 0, H and ©, but the 
other groups can be considered using the same analysis. The Poisson approxi- 
mation of DPi^{a,P) holds for all group elements with order at least 2 . On the 
other hand, the bounds on depend on the distribution of group ele- 

ments. Bounding DP^^tt) for a given group (G, 0) requires knowledge of how 
element orders are distributed within G. Our results in this paper are based on 
all non-identity elements of (Z2, 0) having order 2, and the element orders of 
(Z2"H) and (Z2n_|_i,©) being determined as in Corollary^ 

The distribution of entries in difference tables has previously been predicted 
using a “balls-in-bins” model US), summarized as follows. In modeling differences 
tables with respect to XOR, we let the “balls” represent the unordered pairs of 
difference a and let the “bins” represent the possible non-trivial output differ- 
ences. If the 2 ”“^ input pairs of input difference a (the “balls”) can be allocated 
randomly and independently to any of the (2" — 1) “bins”, then the resulting 
distribution approaches a Poisson distribution with parameter fx = ~ i . In 

modeling differences tables with respect to 0 7^ 0, we let the “balls” represent 
the ordered pairs of difference a and let the “bins” represent the possible non- 
trivial output differences. If the input pairs of input difference a (the “balls”) 
can be allocated randomly and independently to any of the (2” — 1) “bins”, 
then the resulting distribution approaches a Poisson distribution with parame- 
ter n = 2^-1 ~ 1- Our results add validity to the “balls-in-bins” approach for 
predicting DP^{n). 
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5 Appendix 



Lemma 1131 If 7T Gfl TjO) j then Pr (i?„/ 2 ” ^DP^{tt) < njT^ ~ I, where 

0 e { E,©}. 

Proof. O’Connor [IS| proved that Pr {DP^{tt) > = o(I). Denote = 

and observe that Var[!F] ^ E[!F] as increases with n. Chebychev’s 
inequality (see for example 0) is applied to show that 

Pr(DPe(^)< 2 S„) < Pr(tf^ = 0 ) < Pr (|^^ - E[tf^] | > E[«F]) < 
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which is asymptotic to . The expected number of entries in the differ- 
ences tables with respect to 0 is equal to 



_ 

E[tf^] = (2"-1)2.E[02 b„(0,^)] , 



By applying Stirling’s formula for n! (see, for example jSl page 213]), 



Br, 



Bn 









\/27rB„, 



where (InA^^)'"^ /InlnAf _ ^glnlnA? ynAT / 
quently. 



^ ^ ^2^ Conse- 



Pr(_DP®(7r) < 2Bn) < 



1 



1 2®" iV^ • y/2^„ 



iV2 e-5 (e -lnlniV2)Sn 



= C" 



\/2ttB„ 



((e/2) - Inin 1V2)B„ 



= o(l)> 



(14) 

(15) 

(16) 



as ^/2nBn = o (((e/2) • InlnTV^)-®"]). Therefore, the probability that the maxi- 
mum entry is either less than 2_B„ or greater than or equal to 2n is o(l), and 
the lemma is proved. □ 

Lemma 1 1 41 If tt Gr , then Pr(ZlP0(7r) < B„/2"“^) ~ 1, where 0 G 

{E,©}. 

Proof. Assume 0 0. Let = (2" — 1)^ • 0t(07r) denote the number of 

entries t in the differences table with respect to 0, and in particular denote 
12= f7(2Sn) Recall that E [17] = (2" - 1)^ • E[6»2 b„(0,7t)] - . g-i/(2S„)!. 

By applying Stirling’s formula for n!. 



( Q.H \ 

■ v'27t • (2B„) 

(^^^2^21nArVlnlnAr" 

~ ((e/2) -Inin 1V2)2B„ 



21nfV2 

e • In In iV^ 



2Bn 

■ 2^/TTBn 



(17) 



• 2\/TTBn, 



(18) 
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where 



^glnlnAf^^21nAr^/lnlnAT^ _ g21nAf^ _ ^2 



E|«l ~ ^ ■ ((e/2) . 1„1„ ^ ^ 



2\/'kB„ 



3-1 /((e/2) -In In 



2y/TlBr, 



a-1 



2i/7tB„ 




InN^ 



InN^ 



V(N) 



and we can show that y{N) < 1. Therefore, 

ee-l 



E[f2] 



2^/irB„ 



= 0 ( 1 ) 



as Bn increases with n. Now, for 2B„ = o(2”/^), < E[l7]/(2i3„)*-^®". 

(The value of E[l7(*)] is insignificant for t ^ o(2"/^)). Therefore, the expected 
number of entries greater than or equal to 2_B„ in a difference table with respect 
to ® is 



^ E[f2(‘)] < ^ 

t>2B„ t>2B„ 



1 

(2B„)*-2Bn 



• E[17] 



= E[12] • ^ 

i>0 



1 

{2BnY 



E[17] 

“ 1 - l/{2Bn) 

~ E[12] =o(l). 



(19) 

(20) 

(21) 

(22) 



Note that the probability that DP(^{'k) > i?„/2”-i is less than the expected 
number of entries of size t > 2i?„. Therefore, Pr(_DP0(7r) > i?„/2”-i) = o(l) as 
n ^ oo. □ 



References 

1. C. M. Adams. The CAST-256 Encryption Algorithm. NIST Ad- 

vanced Encryption Standard (AES) submission, description available at 
http://www.entrust.com/resources/pdf/cast.pdf. 

2. E. A. Bender. Asymptotic methods in enumeration. SIAM Review, 16(4):485-515, 
1974. 

3. E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. 
Journal of Cryptology, 4(l):3-72, 1991. 

4. E. Biham and A. Shamir. Differential cryptanalysis of Data Encryption Standard. 
Springer-Verlag, 1993. 




XOR and Non-XOR Differential Probabilities 



285 



5. J. Daemen and V. Rijmen. AES proposal: Rijndael. NIST Ad- 
vanced Encryption Standard submission, description available at 

http://www.esat.kuleuven.ac.be/~rijmen/rijndael. 

6. W. Feller. An Introduction to Probability Theory and its Applications. New York: 
Wiley, 3rd edition. Volume 1, 1968. 

7. H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, 

J. Stern, and S. Vaudenay. Decorrelated Fast Gipher. NIST Ad- 
vanced Encryption Standard (AES) submission, description available 
http://www.dmi.ens.fr/~vaudenay/dfc.html. 

8. R. P. Grimaldi. Discrete and Combinatorial Mathematcis: An Applied Introduction. 
Addison Wesley Publishing Gompany, 1989. 

9. M. Hall. Combinatorial Theory. Blaisdell Publishing Gompany, 1967. 

10. P. Hawkes and L. J. O’Connor. Aymptotic bounds on differential probabilities. 
Technical Report RZ 3018, IBM Research Report, May, 1998. Available from 
http://www.research.ibm.com. 

11. B. S Kaliski and L. Y. Yiqun. On differential and linear cryptanalysis of the 
RC5 algorithm. Advances in Cryptology, CRYPTO 95, Lecture Notes in Computer 
Science, vol. 963, D. Coppersmith eds., Springer-Verlag, pages 171-184, 1995. 

12. M. Kanda, S. Moriai, A. Kazumaro, H. Ueda, M. Ohkubo, Y. Takashima, 

K. Ohta, and T. Matsumoto. Specification of E2 - a 128-bit block ci- 
pher. NIST Advanced Encryption Standard submission, description available at 
http://titan.isl.ntt.co.jp/e2. 

13. X. Lai. On the design and security of block ciphers. ETH Series in Information 
Processing, editor J. Massey, Hartung-Gorre Verlag Konstanz, 1992. 

14. X. Lai and J. L. Massey. A proposal for a new block encryption standard. In 
Advances in Cryptology, EUROCRYPT 90, Lecture Notes in Computer Science, 
vol. 473 , I. B. Damgdrd ed., Springer-Verlag, pages 389-404, 1991. 

15. J. Lee, H. M. Keys, and S. E. Tavares. Resistance of a CAST-like encryption al- 
gorithm to linear and differential cryptanalysis. Designs, Codes and Cryptography, 
12(3):267-282, 1997. 

16. C. H. Lim. Specification and analysis of CRYPTON version 1.0. NIST 
Adavanced Encryption Standard (AES) submission, description available at 
http://crypt.future.co.kr/~chlim/crypton.html. 

17. J. L. Massey. SAFER: a byte-oriented ciphering algorithm. Fast Software En- 
cryption, Lecture Notes in Computer Science, vol. 809, R. Anderson ed., Springer- 
Verlag, pages 1-17, 1993. 

18. J. L. Massey. SAFER K-64: one year later. Fast Software Encryption, Lecture Notes 
in Computer Science, vol. 1008, B. Preneel ed., Springer-Verlag, pages 212-241, 
1994. 

19. L. J. O’Connor. On the distribution of characteristics in bijective mappings. Ad- 
vances in Cryptology, EUROCRYPT 93, Lecture Notes in Computer Science, vol. 
765, T. Helleseth ed., Springer-Verlag, pages 360-370, 1994. 

20. L. J. O’Connor. On the distribution of characteristics in bijective mappings. Jour- 
nal of Cryptology, 8(2):67-86, 1995. 

21. B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson. Twofish: 
a 128-bit block cipher. NIST Advanced Encryption Standard (AES) submission, 
description available http://www.counterpane.com/twofish.html. 




S-boxes with Controllable Nonlinearity 



Jung Hee Cheon, Seongtaek Chee, and Choonsik Park 



Electronics and Telecommunications Research Institute, 
161 Kajong-Dong,Yusong-Gu, Taejon, 305-350, ROK 
{jhcheon, chee, csp}@etri . re .kr 



Abstract. In this paper, we give some relationship between the nonlin- 
earity of rational functions over F 2 " and the number of points of associ- 
ated hyperelliptic curve. Using this, we get a lower bound on nonlinearity 
of rational-typed vector Boolean functions over F 2 " . While the previous 
works give us a lower bound on nonlinearity only for special-typed mono- 
mials, our result gives us general bound applicable for all rational fuctions 
defined over F 2 « . As an application of our results, we get a lower bound 
on nonlinearity of n x fcn S-boxes. 



1 Introduction 

One of the powerful attack for block ciphers is linear cryptanalysis which was 
developed by Matsui^ in 1993 . The basic idea of linear cryptanalysis is to find 
a linear relation among the plain text, cipher text and key bits. Such a relation 
usually occurs by a low nonlinearity of substitutions in block ciphers. 

Nonlinearity for Boolean functions was well-established 0 . However, it is 
very difficult to analyze nonlinearity for vector Boolean functions, in general. 
Some results on nonlinearity of vector Boolean functions were found in pniTj . 
But the results are only concerned with the special types of monomials over F2« . 

In this paper, we derive a novel relationship between the nonlinearity of a 
rational function over F2» and the number of points of hyperelliptic curve over 
that field. And, using such a relationship we obtain a lower bound on nonlinearity 
of rational-typed vector Boolean functions over F2« . Furthermore, we give a 
lower bound on nonlinearity of S-box constructed by concatenating two or more 
S-boxes over F2»* . Similar method has been used in the CAST algorithm Q , in 
which 8 X 32 S-boxes were constructed by selecting 32 bent Boolean functions 
over F28 . In that case, their S-boxes has been believed to be highly nonlinear, but 
nobody gave lower bound on the nonlinearity. It has been known that it might 
be very difficult to prove the lower bound on the nonlinearity of such S-boxes jS|. 

2 Preliminaries 

2.1 Nonlinearity 

We consider a vector Boolean function F : F2" — > F2« . Let 6 = (61, 62, • • • , bn) be 
a nonzero element of F2« . We denote hy b ■ F the Boolean function which is the 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 2S6- I7rm 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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linear combination 6i/i + 62/2 + • • • + &n/ra of the coordinate Boolean functions 
/i,/2,- - • ,/n of F. 



Definition 1. The nonlinearity of F, Af{F), is defined as 

J\f(F) = min min : A(x) A b ■ F(x)}, 

MO Aer 

where F is the set of all affine functions over F 2 " . 

If we define £{F, a, b) = ff{x : a ■ x = b ■ i^(a;)}, then we have 
Af{F) = 2”-i -maxmax|2"-i -£(F,a,fo)|. 

b^O a 



( 1 ) 



Observe that nonlinearity of arbitrary vector Boolean functions is upper- 
bounded as 

Af{F) < 2’"-! -2t-i. 

and the equality holds for only bent functions. 

The nonlinearity for special types of F, usually monomials, are investigated 
by Nyberg [ 7 ]. 



Theorem 2. 

1. Let F{x) = 

(a) Ifn/s is odd for s = gcd(n,k), then 

JV{F) = 2”"^ - 

(h) If n is odd and gcd(n, A:) = 1, then 

N{F~^) = 2 ""^ _ 2 ("- i )/ 2 ^ 

2. For F{x) = x~^ , 

Af{F) > 2""i - 2”/^. 



(2) 

(3) 

(4) 



2.2 Hyperelliptic Curves 

In this section, we introduce a hyperelliptic curve and the Weil theorem which 
have important roles in proving our main theorem. A hyperelliptic curve C over 
F2" is an equation of the form 

C : y'^ + h{x)y = f{x), (5) 

where f{x),h{x) G F2r. [x] with 2degh(a;) -I- 1 < deg/(a;), and there are no 
solutions X, y in the algebraic closure of F2« , which simultaneously satisfy the 
equation + h{x)y = f{x) and the partial derivative equations 2y + h{x) = 0 
and h' {x)y — f' (x) = 0. When a curve C has no solutions which satisfies the three 
equations, we say that C is nonsingular. Otherwise, we say that C is sigular. 

We define the set of F2« -rational points on C, denoted C'(F2" ), the set of all 
points {x, y) G F2« x F2» that satisfies the equation (0 of the curve C, together 
with a special point at infinity, denoted O. 

For the number #C'(F2»» ) of the F2« -rational points on C, we have the fol- 
lowing nontrivial bound 0 . 



288 Jung Hee Cheon, Seongtaek Chee, and Choonsik Park 



Theorem 3 (Weil). For any hyperelliptic curve C over F 2 »* , we have 

|#C(F2n)-2"-l| <2gv^, (6) 

where g is the genus of the hyperelliptic curve C. 

By the Riemann-Hurwitz formula, we have g = for the degree d of 

/(See [4, p332]). When a curve given by the equation Q is singular, the the- 
orem does not hold. In this case, we have the following, using the theory of 
desigularization of algebraic curves(See [4, p.358]). 

|#C(F2n ) - 2" - 1| < 2gV¥ -g+ ^‘^~ ~ , (7) 

where g is the genus of the singular curve C and d is the degree of /. Since the 
genus g is less than we can get the same inequality for a singular curve 

under some condition. 

Corollary 4. Let C be a curve given by the irrducible equation y^ + h{x)y = 
/(x), which satisfies deg f > max{2degh-|- 1,3}. Assume that C is nonsingular 
or d = deg / < -|- 2. Then we have 

|#C(F2n)-2--l|<2L^jV^. (8) 

Proof. If C is nonsingular, we have g = . Hence the corollary is proved. If 

C is singular, we have g < — 1 so that 

|#C(F2n ) - 2- - 1| < (2v^- 1)(L^J - 1) + (^-lK^-3) . 

The right-hand side is less than or equal to 2[^^J if d"^ — 5d + 7 < 4\/^. 
Hence the corollary follows for 3 < d < -|- 2. 

3 Nonlinearity of Rational Fnnctions over F 2 n 

In this section, we get a lower bound on nonlinearity of rational functions over 
a finite field, using the bound on the numbers of points of hyperelliptic curves 
over that field. We consider a rational function of the form F{x) = P{x)/Q^{x) 
for P{x), Q{x) G F 2 >» \x] where we may define F{a) to be any elements of F 2 » for 
a root a of Q(x). 

First, we introduce a lemma. We donote by Tr{-), an absolute trace map- 
ping 0. 

Lemma 5. The following polynomial equation of one variable x 
x^ + ax + b = 0, a ^ 0, b G F 2 " 
is reducible over F 2 »* if and only ifTr{^) = 0. 



( 9 ) 
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Proof. If we replace by ax, x of the equation o and divide the equation by a^, 
we get + X + b/ of = 0. Hence x^ + ax + h — Q is reducible over F2" if and only 
if a;^ — a; = h/ of has a root in F2« . By Hilbert theorem 90 0 , it is equivalent to 
Tr{b/a^) = 0. 

By using the above lemma, we can derive the following theorem. 

Theorem 6. Let P{x),Q{x),G{x) € F 2 "[a;], P(x) = P{x) /Q^{x) where G{x) 
is a permutation. Suppose that Ga.b '. + Q{x)y = aQ^(x)G(x) + bP(x) is 

nonsingular for eaeh a,b ^ Q in F2n , or d = max{2 deg Q + deg G, deg P} < 
^2"/2+2 _ 2)1/2 _|_ 2 Jf Q[x) has r distinet roots in F2» and gcd(P(a;), Q{x)) has 
s distinct roots in F2« , then the nonlinearity of F o G~^ is lower-bounded as 
follows : 

A/(FoG-i)>2"-i- [^^j2"/2-r+|. 

Proof. Choose a basis B of F2" over F2 and take its dual basis B. Represent 
binary vectors in F2»* , a and b by the basis B, and G{x) and F(x) by its dual 
basis B. Then we have 

a ■ G{x) = Tr{aG{x)), b ■ F{x) = Tr{bF{x)). 



Hence 



C{F o a, b) = ff{x\a -x = b- F{G~^{x))} 

= ff{x\Tr{aG{x)) = Tr{bF{x))} 

= ff{x\Tr{aG{x) + bF{x)) = 0} 

Let oi, 02, • • • , Or be r distinct roots of Q{x). If a ^ ai for all i, Ga.b has two 
distinct points whose a;-coordinate is a, whenever the equation of y, y^-\-Q{a)y — 
{aQ‘^{a)G{a)-\-bP{a)), is reducible. Also, Ga.b has one point whose a;-coordinate 
is Oi, whenever the equation of y, y^ — bP(ai), is reducible. Considering the 
infinity point O, we have 



#Ga,b{V2^)-I 

,aQ‘^{x)G{x) + bP{x) 



= 2-#{x\Tr{- 



Q{xf 



) = Q,Q{x) y^O} + ^#{y|2/^=5P(oi)} 



= 2 • #{x|Tr(aG(a;)) = Tr{bF{x)),Q{x) ^ 0} + ^ #{y\y^ = 6P(o,)} (10) 

i 

= 2C{F o G-\a, b) - 2#{i\Tr{aG{ai))=Tr{bF{a,))} + ^ #{y\y^= 5P(o,)}. 



The first equality follows from lemma 0 Observe that all curves Ga.b for a, 6 yf 0 
satisfy the assumption of Corollary 0 and the degree of the equation Ga.b at x 
is less than or equal to d. Hence we have 



|#a.6(F2n)-2"-l| <2[^JV^. 



( 11 ) 
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Combining it with the identity li 1 1 )ll . we have 
|2"-i-£(FoG-\a,6)| 

< [^\V¥+ |#{*|Tr(aG(aO) = Tr{bF{a.))} - = 6P(a,)}|. 

i 

If we take the maximum through all a, 6 0 S F 2 " , we have 

max|2'*-i -£(FoG-\a,6)| < [^^jV^+r- 

a, 6^0 2 2 

Hence we have 



Af(FoG-i)>2"-i- -r+ 

Observe that C{F,a,b) is singular if and only if Q{x) = 0, Q'{x)y = bP'{x) 
and = bP{x) has a common solution. Hence G(i^, a, b) is non-singluar for any 
nonzero b G F 2 « if F{x) satisfies the following condition: 

For any root of Q(x) = 0 in the algebraic closure o/F 2 », 

(12) 

F'ya) 

If we use Theorem E] we can obtain the following useful results. 

Corollary 7. 

1. For any polynomial F{x) G F 2 »* [a:] of degree d > 3, 

Af{F) > 2"-i - 

2. For any polynomial H (x) G F 2 « [x] of degree m and a positive integer k, 

F{x) = has a lower hound on its nonlinearity as follows: 

Af(F)>2"-i-L^j2"/2-l 

where d = max{2A: + 1, m + 1}. 

Proof. 1. We take G(a:) = x, Q(x) = 1 and P(x) = F(x) in Theorem El Then 
a curve Ca,b '■ y^ + y = ax + bF{x) is irreducible and nonsingular for each 
a,b ^ 0. Since the degree of each curve Ca,b at x is d, we have the above 
assertion. 

2. We take G{x) = x, Q{x) = x^ and P{x) = xFl{x) in Theorem El Then a 
curve Ca.b '■ y^ + x^y = + bxH{x) is irreducible and nonsingular for 

each a, 6 yf 0. If we take d = max{2fc + I, to + I}, the degree of each curve 
Ca,b is less than or equal to d, which completes the proof. 
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We can extend the above corollary to the composite function cases. 
Corollary 8. Assume that e, / be integers satisfying ef = 1 mod (2" — 1). 

1. For any polynomial F(x) G F2-* [a;] of degree to > 3, 

N{F{xf)) > 

where d = max{e, to}. 

2. For any polynomial H(x) G F2n [a;] of degree m and a positive integer k, let 



Af(F(a;/))>2'^-i-L^j2 "/^-i 

where d = max{2A: + e, to + 1}. 

Proof. 1. Take G{x) = a;®, Q{x) = 1 and P{x) = F{x) in TheoremEl Then for 
a curve Ca,b ■ + y = ax^ + bF{x) the similar assertions as the proof of 

Corollary 0 hold. 

2. Take G(a;) = x®, Q{x) = x^ and P{x) = xP[{x) in Theorem 0 Then for a 
curve Ca.b ■ y^ + x’^y = + bxFl{x) the similar assertions as the proof 

of Corollary 0 hold. 

By applying Corollary0 we get some useful results. See the example. 
Example 9. 1. For F{x) = x^ + x^ + x^ G F2« [x], 

N{F) > 2"-i - 2"/^+b 

2. For F{x) = x~^ + x^ G F2" [x], 

N{F) > 2"-i - 2”/^+^ - i. 

Furthermore we can get rid of the last term ‘1/2’ if n is odd. 

3. For F{x) = x~^ + x~^ G F2« [x], 

M{F) > 2"-i - 2”/2 +i _ ^ 

Furthermore we can get rid of the last term ‘1/2’ if n is even. 

If we apply Corollary 0 we can obtain lower bounds on nonlinearity of some 
monomials whose nonlinearity has not analyzed theoretically yet. 

Example 10. Consider F27. Let F{x) = x^ and G(x) = (x^)“^ = x®^. Then we 
have F o G“^(x) = x^®. By the above statement, we have 

Af(x2®) > 2"-i - 2"/^+b 

Since nonlinearity preserves under composition with linear functions like x^, x^ 
has the same nonlinearity with (x^)^. Hence we have 

Af(x^) > 2’"-! -2"/2 +i. 
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We can apply Theorem 0 directly to get a lower bound on nonlinearity of 
some rational functions, 

Example 11. 1. For any irreducible polynomial H{x) of degree d, we have 

2. For F{x) = x~^{x — 1)“^( we assume F(0) = F{1) = 0), 

Af{F) > 2"-i - 3 • 2"/2 _ 1. 

Table E shows the tightness of our lower bound on nonlinearity. The third 
columnn shows the lower bound obtained by Theorem El and the fourth column 
shows the exact value of nonlinearity calculated by computational experiment. 
Note that S-boxes in Tabled may not be a permutation. In order to apply them 
for block cipher, the other properties such as differential probability should be 
investigated. 



Table 1. Lower bound on Nonlinearity and its Exact Value 



Function 


n 


Our Lower Bound 


Exact Value 


+ + x*^ 


7 


48 


48 




8 


96 


96 


x~^ + x'^ 


7 


41 


46 




8 


96 


100 


x~'^ + x~^ 


7 


41 


46 




8 


96 


97 



4 Nonlinearity of n x kn S-boxes 



In this section, we derive nonlinearity of n x fcn S-box constructed by concate- 
nating k n X n S-boxes over F 2 « . At first, we present a proposition to relate 
nonlinearity of n x kn S-box to that of n x n S-box. 

Proposition 12. Let F : F 2 ™ ^ F 2 fcn be a vector Boolean fuctions with F = 
(Fi, F 2 , • • • ,Fk) for Fi : F 2 « — > F 2 « . Then we have 

M{F)= min Af{ciFi + C 2 F 2 hCfcFfe), 

where the sum and product are the field operations in F 2 fcn . 
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Proof. Choose a basis B of F2»* over F2 and take its dual basis B. Let us represent 
by the basis B the left sides of all inner products and by its dual basis B their 
right sides. For any nonzero 6 = (ci, C2, • • • , Ck) with Ci G F2" , we have 

C{F, a, b) = ff{x\a ■ x = b ■ 

= ff{x\Tr{ax + bF{x)) = 0} 

= #{x|Tr(aa; + ciFi{x) H h CkFk{x)) = 0} 

= ^{ciFi + • • • + CkFk, a, 1 ). 



where 1 is a binary vector representing an identity element by the basis B. 

Conversely, for any nonzero (ci,C2, • • • ,Ck) G F2fcn,Ci G F2" and a nonzero 
bo G F2" , there exists a nonzero b G F2fcn such that £(ciF’i + • • • + a, bo) = 
C{F,a,b), which completes the proof. 

By the above proposition, we can apply Theorem to get a lower bound on 
nonlinearity oinxkn S-box. For example, consider an n x 2 n S-box F = (Ff, F2) 
where Fi(a;) = x~^ and ^2(2;) = x^ are S-boxes over F2« . Then 



ff{F) = min Af{cix ^ + C2X^) 

(ci, £2)5^0 



= min{minA/’(cia; ^ + C2X^),Af(x ^),Af(x^)} 

Ci^O 



> 






1 

2 ' 



The first equality follows from Proposition ^3 and the last inequality follows 
from Corollary 13 

Similarly, we can get lower bounds on nonlinearity of various n-hy-kn boxes. 
We present some of them in Table |3 The second column shows a lower bound of 
nonlinearity of the S-boxes in the first column for even or odd n. The third and 
fourth column shows the exact value of nonlinearity calculated by computational 
experiment. 

In Table 0 every rational function such as x~^ and x^ is a vector Boolean 
function from F2« to F2» . Note that all functions are permutations for odd n, 
but only x~^ and x"^ are permutations for n = 8. If we combine our result with 
Theorem 17 in [^, we can also construct highly nonlinear kn x kn S-boxes. 
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Abstract. Distributed key generation is a main component of threshold 
cryptosystems and distributed cryptographic computing in general. So- 
lutions to the distributed generation of private keys for discrete-log based 
cryptosystems have been known for several years and used in a variety 
of protocols and in many research papers. However, these solutions fail 
to provide the full security required and claimed by these works. We 
show how an active attacker controlling a small number of parties can 
bias the values of the generated keys, thus violating basic correctness 
and secrecy requirements of a key generation protocol. In particular, our 
attacks point out to the places where the proofs of security fail. 

Based on these findings we designed a distributed key generation pro- 
tocol which we present here together with a rigorous proof of security. 
Our solution, that achieves optimal resiliency, can be used as a drop-in 
replacement for key generation modules as well as other components of 
threshold or proactive discrete-log based cryptosystems. 

Keywords: Threshold Cryptography. Distributed Key Generation. VSS. 
Discrete Logarithm. 



1 Introduction 

Distributed key generation is a main component of threshold cryptosystems. It 
allows a set of n servers to jointly generate a pair of public and private keys 
according to the distribution defined by the underlying cryptosystem without 
having to ever compute, reconstruct, or store the secret key in any single loca- 
tion and without assuming any trusted party (dealer). While the public key is 
output in the clear, the private key is maintained as a (virtual) secret shared via 
a threshold scheme. In particular, no attacker can learn anything about the key 
as long as it does not break into a specified number, t+ 1, of servers. This shared 
private key can be later used by a threshold cryptosystem, e.g., to compute sig- 
natures or decryptions, without ever being reconstructed in a single location. For 
discrete-log based schemes, distributed key generation amounts to generating a 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 295- ITmi 1999. 
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secret sharing of a random, uniformly distributed value x and making public the 
value y = g^. We refer to such a protocol as DKG. 

A DKG protocol may be run in the presence of a malicious adversary who 
corrupts a fraction (or threshold) of the players and forces them to follow an 
arbitrary protocol of his choice. Informally, we say that a DKG protocol is secure 
if the output of the non-corrupted parties is correct (i.e. the shares held by the 
good players define a unique uniformly distributed value x and the public value 
y satisfies y = g^), and the adversary learns no information about the chosen 
secret x beyond, of course, what is learned from the public value y. 



Solutions to the shared generation of private keys for discrete-log based 
threshold cryptosystems mm have been known and used for a long time. 
Indeed, the first DKG scheme was proposed by Pedersen in jPedDI aj . It then ap- 
peared, with various modifications, in several papers on threshold cryptography, 
e.g., I CMI93 1 EEE 



and distributed 

cryptographic applications that rely on it, e.g., Ensna. Moreover, a secure 
DKG protocol is an important building block in other distributed protocols for 
tasks different than the generation of keys. One example is the generation of the 
randomizers in discrete-log based signature schemes (for example the r value 
in a (r, s) DSS signature as in [0,IKR9(^ 1. Another example is the generation 
of the refreshing polynomial in proactive secret sharing and signature schemes 



;H,IKY95L lH TF^If’(IMY?77j . 

The basic idea in Pedersen’s DKG protocol IPedllial (as well as in the sub- 
sequent variants) is to have n parallel executions of Feldman’s verifiable secret 
sharing (VSS) protocol IFel87l in which each player Pi acts as a dealer of a 
random secret Zi that he picks. The secret value x is taken to be the sum of 
the properly shared ZiS. Since Feldman’s VSS has the additional property of 
revealing yi = g^', the public value y is the product of the y^’s that correspond 
to those properly shared ZiS. 



In this paper we show that, in spite of its use in many protocols, Pedersen’s 
DKG cannot guarantee the correctness of the output distribution in the presence 
of an adversary. Specifically, we show a strategy for an adversary to manipu- 
late the distribution of the resulting secret x to something quite different from 
the uniform distribution. This flaw stresses a well-known basic principle for the 
design of cryptographic protocols, namely, that secure components can turn in- 
secure when composed to generate new protocols. We note that this ability of 
the attacker to bias the output distribution represents a flaw in several aspects 
of the protocol’s security. It clearly violates the basic correctness requirement 
about the output distribution of the protocol; but it also weakens the secrecy 
property of the solution. Indeed, the attacker acquires in this way some a-priori 
knowledge on the secret which does not exist when the secret is chosen truly 
at random. Moreover, these attacks translate into flaws in the attempted proofs 
of these protocols; specifically, they show that simulation arguments (a la zero- 
knowledge) as used to prove the secrecy of these protocols must fail. 

In contrast to the above, we present a protocol that enjoys a full proof of 
security. We first present the formal requirements for a secure solution of the 
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DKG problem, then present a particular DKG protocol and rigorously prove that 
it satisfies the security requirements. In particular, we show that the output 
distribution of private and public keys is as required, and prove the secrecy re- 
quirement from the protocol via a full simulation argument. Our solution is based 
on ideas similar to Pedersen’s DKG (in particular, it also uses Feldman’s VSS as 
a main component), but we are careful about designing an initial commitment 
phase where each player commits to its initial choice Zi in a way that prevents 
the attacker from later biasing the output distribution of the protocol. For this 
commitment phase we use another protocol of Pedersen, i.e., Pedersen’s VSS 
(verifiable secret sharing) protocol as presented in IPedhlbj . Very importantly, 
our solution preserves most of the efficiency and simplicity of the original DKG 
solution of in particular it has comparable computational complexity 

and the same optimal threshold of t < n/2. 

Organization: In Section Elwe present the basic communication and adversarial 
models for our protocols. In Section0we describe previously proposed solutions 
to the DKG problem and show where they fail. In Section2|we present our solu- 
tion and its full analysis; we also discuss some other applications of our protocol. 
Finally, in Section^we discuss an enhanced (and more realistic) security model 
under which our solution works as well. 

2 Preliminaries 

Communication Model. We assume that our computation model is composed 
of a set of n players Pi, ■ . . ,Pn that can be modeled by polynomial-time ran- 
domized Turing machines. They are connected by a complete network of private 
(i.e. untappable) point-to-point channels. In addition, the players have access to 
a dedicated broadcast channel. 

For simplicity of the discussion that follows, we assume a fully synchronous 
communication model, i.e. that messages of a given round in the protocol are 
sent by all players simultaneously, and that they are simultaneously delivered to 
their recipients. This model is not realistic enough for many applications, but 
it is often assumed in the literature; moreover, our attacks against known DKG 
protocols (Section EJ work even in this simplified setting. 

In Section El we introduce a more realistic, partially synchronous communica- 
tion model. Our solution to the DKG problem (Section EJ and its security proof 
work in this strictly stronger adversarial model. 

The Adversary. We assume that an adversary. A, can corrupt up to t of the 
n players in the network, for any value of t < n/2 (this is the best achievable 
threshold - or resilience - for solutions that provide both secrecy and robust- 
ness). We consider a malicious adversary that may cause corrupted players to 
divert from the specified protocol in any way. We assume that the computational 
power of the adversary is adequately modeled by a probabilistic polynomial time 
Turing machine. Our adversary is static, i.e. chooses the corrupted players at the 
beginning of the protocol (see section for a reference to a recent extension of 
our results to the non-static - or adaptive - adversary setting). 
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3 Distributed Key Generation in DLog-Based Schemes 

In this section we define the minimal requirements for a secure distributed key 
generation protocol. We show how previous solutions fail to satisfy these re- 
quirements. We also discuss the applicability of our attacks to other existing 
distributed protocols. 

3.1 Requirements of a Secure DKG Protocol 

As we mentioned in the introduction, distributed generation of keys in a discrete- 
log based scheme amounts to generating a secret sharing of a random, uni- 
formly distributed value x and making public the value y = . Specifically, in a 

discrete-log based scheme with a large prime p and an element g of order q in h* 
where g is a large prime dividing p—1, the distributed protocol DKG performed 
by n players Pi, . . . , P„ generates private outputs xi, . . . , Xn, called the shares, 
and a public output y. The protocol is called t-secure (or secure with threshold 
t) if in the presence of an attacker that corrupts at most t parties the following 
requirements for correctness and secrecy are satisfied: 

Correctness: 

(Cl) All subsets of t -I- 1 shares provided by honest players define the same 
unique secret key x. 

(C2) All honest parties have the same value of public key y = g^ mod p, where 
X is the unique secret guaranteed by (Cl). 

(C3) X is uniformly distributed in Zg (and hence y is uniformly distributed in 
the subgroup generated by g). 

Secrecy: No information on x can be learned by the adversary except for what 
is implied by the value y = g^ mod p. 

More formally, we state this condition in terms of simulatability: for every (prob- 
abilistic polynomial-time) adversary A, there exists a (probabilistic polynomial- 
time) simulator SIM, such that on input an element y in the subgroup of Z* 
generated by g, produces an output distribution which is polynomially indistin- 
guishable from M’s view of a run of the DKG protocol that ends with y as its 
public key output, and where A corrupts up to t parties. 

The above is a minimal set of requirements needed in all known applications 
of such a protocol. In many applications a stronger version of (Cl) is desirable, 
which reflects two additional aspects: (1) It requires the existence of an efficient 
procedure to build the secret x out of t+1 shares; and (2) it requires this procedure 
to be robust, i.e. the reconstruction of x should be possible also in the presence 
of malicious parties that try to foil the computation. We note that these added 
properties are useful not only in applications that require explicit reconstruction 
of the secret, but also in applications (such as threshold cryptosystems) that 
use the secret a; in a distributed manner (without ever reconstructing it) to 
compute some cryptographic function, e.g. a signature. Thus, we formulate (Cl’) 
as follows: 
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(Cl’) There is an efficient procedure that on input the n shares submitted by the 
players and the public information produced by the DKG protocol, outputs 
the unique value x, even if up to t shares are submitted by faulty players. 



3.2 The Insecurity of a Common DKG Protocol 



The Joint-Feldman Protocol. Feldman |Fel87| presents a verifiable secret shar- 
ing (VSS) protocol, denoted by Feldman-VSS, that allows a trusted dealer to share 
a key x among n parties in a way that the above security properties are achieved 
(with the exception that the protocol assumes the dealer never to be corrupted 
by the attacker). Based on this protocol, Pedersen fPed9 1 aj proposes the first dis- 
tributed solution to this problem, i.e. the first DKG protocol. It specifies the run 
of n parallel executions of Feldman-VSS as follows. Each player Pi selects a ran- 
dom secret Zi G Zq and shares it among the n players using Feldman-VSS. This 
defines the set QUAL of players that shared their secrets properly. The random 
secret x is set to be the sum of the properly shared secrets and each player can 
compute his share of x by locally summing up the shares he received. The value 
y can be computed as the product of the public values yi = g^' mod p generated 
by the proper executions of the Feldman-VSS protocols. Similarly, the verifica- 
tion values ^ 1 , . . . ^At necessary for robust reconstruction of x in Feldman-VSS, 
can be computed as products of the corresponding verification values generated 
by each properly executed VSS protocol. 

In Figure [D we present a simplified version of the protocol proposed in 
jPedhI a] , which we call Joint-Feldman. By concentrating on the core of the proto- 
col we are able to emphasize the central weakness in its design. We also show that 
several variants of this core protocol (including the full protocol from |Ped91 a] 



and other modifications 



isii&iaiii 



IHJJ+97| 1 are also insecure. 



An Attack Against Joint-Feldman. We show how an adversary can influence 
the distribution of the result of Joint-Feldman to a non-uniform distribution. 

It can be seen, from the above description of the protocol that the deter- 
mining factor for what the value x will be, is the definition of the set QUAL. 
The attack utilizes the fact that the decision whether a player is in QUAL or 
not, even given the fully synchronous communication model, occurs after the 
adversary has seen the values yi of all players. The values yi are made public in 
Step d and the disqualification of players occurs in Steps EH31 Using this timing 
discrepancy, the attacker can affect the distribution of the pair {x,y). 

More specifically the attack works as follows. Assume the adversary wants 
to bias the distribution towards keys y whose last bit is 0. It assumes two faulty 
players, say P\ and P 2 - In Stepd P\ gives players P 3 , ...,Pt +2 shares which are 
inconsistent with his broadcast values, i.e. they do not pass the test of Step El 
The rest of the players receive consistent shares. Thus, in Step El there will be 
t complaints against Pi, yet t complaints are not sufficient for disqualification. 
Now, at the end of Stepdthe adversary computes a = 0^1 Vi ~ YYi=i Vi- 

If a ends with 0 then P\ will do nothing and continue the protocol as written. 
If a ends with I then the adversary forces the disqualification of P\ in Step El 
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Protocol Joint-Feldman 

1. Each player Pi chooses a random polynomial fi{z) over Z, of degree t: 

fi{z) = aio + am + . . . + 

Pi broadcasts Aik = 5 “''“ mod p for k = 0, . . . ,t- Denote aio by Zi and 
Aio by yi. Each Pi computes the shares Sij = fi{j) mod g for j = 1, . . . ,n 
and sends Sij secretly to player Pj. 

2. Each Pj verifies the shares he received from the other players by checking 
for i = 1, . . . , n: 

t 

gSij ^ modp (1) 

k^O 

If the check fails for an index i, Pj broadcasts a complaint against Pi. 

3. If more than t players complain against a player Pi, that player is clearly 
faulty and he is disqualified. Otherwise Pi reveals the share Sij matching 
Eq. n for each complaining player Pj. If any of the revealed shares fails 
this equation, Pi is disqualihed. We dehne the set QUAL to be the set of 
non-disqualified players. 

4. The public value y is computed asy — Yli^QuAL mod P- Tlio public veri- 

fication values are computed as Ak = IlieQmL mod p for fc = 1, . . . ,t. 
Each player Pj sets his share of the secret as Xj — mod q. 

The secret shared value x itself is not computed by any party, but it is 
equal to a: = Yjo^qual mod q. 

Fig. 1. An insecure solution for distributed generation of secret keys 



This is achieved by asking P 2 to also broadcast a complaint against Pi, which 
brings the number of complaints to t -I- 1 . This action sets the public value y to (3 
which ends with 0 with probability 1/2. Thus effectively the attacker has forced 
strings ending in 0 to appear with probability 3/4 rather than 1/2. 

Why the Simulation Fails. An attempt to prove this protocol secure would 
use a simulation argument. Following is an explanation of why such a simulator 
would fail. Consider a simulator S which receives the value y and needs to “hit” 
this value. That is, S needs to generate a transcript which is indistinguishable 
from an actual run of the protocol that outputs y as the public key, and where 
the adversary controls up to t players, say Pi, ..., P*. The simulator has enough 
information to compute the values zi,...,zt that the adversary has shared in 
Step n Now S needs to commit itself to the values shared by the good players. 
However, the attack described in the paragraph above can be easily extended 
to a strategy that allows the adversary to decide in Steps 121.31 on the set Q 
of faulty players whose values will be considered in the final computation (i.e. 
QUAL = QU{t+l, ..., n}). Consequently, in StepQ the simulator S does not know 
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how to pick the good players’ values t/t+i, so that (OieQ yi)’{yt+i' ■■■■Vn) = 
y mod p, as S still does not know the set Q. Since the number of possible sets Q 
that the adversary can choose is exponential in t, then S has no effective strategy 
to simulate this computation in polynomial time. 

Other Insecure Variants of the Joint-Feldman Protocol. The many variants 
and extensions of the Joint-Feldman protocol which have appeared in the liter- 
ature are also insecure. They all fail to achieve the correctness property (C3) 
and the secrecy requirement as presented in Section 13. II The variants include: 
signatures on shares, commitments to yi, committing encryption on broadcast 
channel, committing encryption with reconstruction, and “stop, kill and rewind” . 
Due to space limitations, we invite the reader to the on-line appendix to this 
paper [G.l K for the description of these variants and their flaws. 

4 The New Protocol 

Our solution enjoys the same flavor and simplicity as the Joint-Feldman protocol 
presented in Figure ^ i.e. each player shares a random value and the random 
secret is generated by summing up these values. 

But we use a different sharing and then introduce methods to extract the 
public key. We start by running a commitment stage where each player Pi com- 
mits to a t-degree polynomial {t is the scheme’s threshold) fi{z) whose constant 
coefficient is the random value, Zi, contributed by Pi to the jointly generated 
secret x. We require the following properties from this commitment stage: First, 
the attacker cannot force a commitment by a (corrupted) player Pj to depend on 
the commitment (s) of any set of honest players. Second, for any player Pi that 
is not disqualified during this stage, there is a unique polynomial fi committed 
to by Pi and this polynomial is recoverable by the honest players (this may be 
needed if player Pi misbehaves at a later stage of the protocol). Finally, for each 
honest player Pi and non-disqualified player Pj, Pi holds the value fi{j) at the 
end of the commitment stage. 

To realize the above commitment stage we use the information-theoretic ver- 
ifiable secret sharing (VSS) protocol due to Pedersen !Ped91bj . and which we 
denote by Pedersen-VSS. We show that at the end of the commitment stage the 
value of the secret x is determined and no later misbehavior by any party can 
change it (indeed, if a non-disqualified player misbehaves later in the protocol 
his value Zi is publicly reconstructed by the honest players). Most importantly, 
this guarantees that no bias in the output x or y of the protocol is possible, and 
it allows us to present a full proof of security based on a careful simulation argu- 
ment. After the value x is fixed we enable the parties to efficiently and securely 
compute mod p. 

In the next subsection we present the detailed solution and its analysis. But 
first we expand on Pedersen’s VSS protocol. 

Pedersen’s VSS. As said, we use the protocol Pedersen-VSS introduced in 
!Ped91bj as a central tool in our solution. For lack of space we do not explic- 
itly describe Pedersen-VSS here, however its description is implicit in step 1 of 
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Figure 0 We note that this protocol uses, in addition to the parameters p, g, g 
which are inherent to the DKG problem, an element h in the subgroup of Z* gen- 
erated by g. It is assumed that the adversary cannot find the discrete logarithm 
of h relative to the base g. In section o we discuss how this value of h can be 
generated in the context of our DKG solution. Some of the main properties of 
Pedersen-VSS are summarized in the next Lemma and used in the analysis of 
our DKG solution in the next subsection. 

Lemma 1 . jPedfil hj Pedersen-VSS satisfies the following properties in the pres- 
ence of an adversary that corrupts at most t parties and which cannot compute 
dloggh: 

1. If the dealer is not disqualified during the protocol then all honest players 
hold shares that interpolate to a unique polynomial of degree t. In particular, 
any t I of these shares suffice to efficiently reconstruct (via interpolation) 
the secret s. 

2. The protocol produces information (the public values Ck and private values 
s'^) that can be used at reconstruction time to test for the correctness of 
each share; thus, reconstruction is possible, even in the presence of malicious 
players, from any subset of shares containing at least t 1 correct shares. 

3. The view of the adversary is independent of the value of the secret s, and 
therefore the secrecy of s is unconditional. 



4.1 Secure DKG Protocol 

Our secure solution to the distributed generation of keys follows the above ideas 
and is presented in detail in Figured We denote this protocol as DKG. 

The security properties of this solution are stated in the next Theorem. 

Theorem 2. Protocol DKG from Figure\^is a secure protocol for distributed key 
generation in discrete-log based cryptosystems, namely, it satisfies the correctness 
and secrecy requirements of Seetion lti. 11 with threshold t, for any t < n/2. 



Proof of Correctness. We first note that all honest players in the protocol 
compute the same set QUAL since the determination of which players are to 
be disqualified depends on public broadcast information which is known to all 
(honest) players. 

(Cl) At the end of Step0of the protocol it holds that if i S QUAL then player Pi 
has successfully performed the dealing of Zi under Pedersen-VSS. From part 1 of 
Lemma n we know that all honest players hold shares (sy ) which interpolate to 
a unique polynomial with constant coefficient equal to Zi. Thus, for any set IZ of 
t-\-l correct shares, zt = Ij ' mod q where 7 ^ are appropriate Lagrange 

interpolation coefficients for the set IZ. Since each honest party Pj computes its 
share Xj of x as Xj = 'Yhi(^QUAL then we have that for the set of shares IZ\ 



E E 

ieQUAL ieQUAL 




= E7.- 
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Protocol DKG 

Generating x‘. 

1. Each player Pi performs a Pedersen-VSS of a random value Zi as a dealer: 

(a) Pi chooses two random polynomials fi{z), fi{z) over Zq of degree t\ 

fi{z) = ttio + anz -P . . . -P ttitz^ fl{z) = bm -P bnz -P . . . + buz^ 

Let Zi = aio = fi(0). Pi broadcasts Cik = <?“•'= mod p for k = 
0 ,... ,t. Pi computes the shares Sij = fi{j),Sij = fl{j) mod q for 
j = 1, .. . ,n and sends Sij, s'ij to player Pj. 

(b) Each player Pj verihes the shares he received from the other players. 
For each i = 1, . . . ,n, Pj checks if 

£ 

^ YliCikf mod p ( 2 ) 

fc =0 

If the check fails for an index i, Pj broadcasts a complaint against Pi. 

(c) Each player Pi who, as a dealer, received a complaint from player Pj 
broadcasts the values Sij , s'ij that satisfy Eq. |3 

(d) Each player marks as disqualified any player that either 

— received more than t complaints in Step|l^ or 

— answered to a complaint in Step ^ with values that falsify Eq.[21 

2. Each player then builds the set of non-disqualified players QUAL. (We 
show in the analysis that all honest players build the same set QUAL and 
hence, for simplicity, we denote it with a unique global name.) 

3. The distributed secret value x is not explicitly computed by any party, 
but it equals x = ^i^QuA^ mod q. Each player Pi sets his share of the 
secret as Xi = '^j^QuAL mod q and the value = Y^j^QuAL “lO'i ‘I- 

Extracting y = g"' mod p: 

4. Each player i € QUAL exposes yi — g’'' modp via Feldman VSS: 

(a) Each player Pi, i £ QUAL, broadcasts Aik = modp for k = 

(b) Each player Pj verifies the values broadcast by the other players in 
QUAL, namely, for each i £ QUAL, Pj checks if 

£ 

g”''’ = W_{AikY modp (3) 

k = 0 

If the check fails for an index i, Pj complains against Pi by broad- 
casting the values Sij,s'ij that satisfy Eq.|^but do not satisfy Eq.0 

(c) For players Pi who receive at least one valid complaint, i.e. values 
which satisfy Eq. |21 and not Eq. 0 the other players run the re- 
construction phase of Pedersen-VSS to compute Zi, fi{z), Aik for 
A: = 0, . . . , t in the clear. For all players in QUAL, set yi = Am = 
g''* mod p. Compute y = HieQc/AL Vi p. 

Fig. 2. Secure distributed key generation in discrete-log based systems 
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Since this holds for any set of t + 1 correct shares then x is uniquely defined. 

(Cl’) The above argument in (Cl) shows that the secret x can be efficiently 
reconstructed, via interpolation, out of any t + 1 correct shares. We need to 
show that we can tell apart correct shares from incorrect ones. For this we show 
that for each share Xj, the value can be computed from publicly available 
information broadcast in Step 

t 

= gT.i^QUAL<>ii = (>lifc )^ " mod p 

i^QUAL i^QUAL k—Q 

where the last equality follows from Eq. El Thus the publicly available value 
makes it possible to verify the correctness of share Xj at reconstruction time. 

(C2) The value y is computed (by the honest players) as y = YlieQUAL Vi mod p, 
where the values of pi are derived from information broadcast in the protocol 
and thus known to all honest players. We need to show that indeed y = g^ 
where x = Y^i^guAL^i- show that for i G QUAL, yi = g^\ and then 

y = Yli&QUAL Vi = Y\^^QUAL 9^' = For parties i G QUAL against 

whom a valid complaint has been issued in Step ES value Zi is publicly recon- 
structed and yi set to g^' mod p (the correct reconstruction of Zi is guaranteed 
by Lemma □ (part 2)). Now we need to show that for Pi, i & QUAL, against 
whom a valid complaint has not been issued, the value yi is set to An). Values 
Aik, k = 0, .. . ,t broadcast by player Pi in Step E3 define a t-degree polynomial 
fi{z) in Zq. Since we assume that no valid complaint was issued against Pi then 
Eq. E] is satisfied for all honest players, and thus fi{z) and fi{z) have at least 
t -|- 1 points in common, given by the shares Sij held by the uncorrupted players 
Pj. Hence they are equal, and in particular 

(C3) The secret x is defined as a; = YieQUAL Note that as long as there is 
one value Zi in this sum that is chosen at random and independently from other 
values in the sum, we are guaranteed to have uniform distribution of x. Also 
note that the secret x and the components Zi in the sum are already determined 
at the end of StepQof DKG (since neither the values Zi nor the set QUAL change 
later). Let Pi be a non-corrupted player; in particular, i G QUAL. At the end of 
Step 1 of the protocol Zi exists only as a value dealt by Pi using Pedersen-VSS. 
By virtue of part 3 of Lemma H the view (and thus actions) of the adversary are 
independent of this value Zi and hence the secret x is uniformly distributed (as 
Zi is). 

Proof of Secrecy. We provide a simulator SLM for the DKG protocol in Fig- 
ure El Here we show that the view of the adversary A that interacts with SLAI 
on input y is the same as the view of A that interacts with the honest players 
in a regular run of the protocol that outputs the given y as the public key. 

In the description and analysis of the simulator we assume, without loss of 
generality, that the adversary compromises players P\, . . . ,Pt', where t' <t. We 
denote the indices of the players controlled by the adversary hy B = {1, . . . , t'}, 
and the indices of the players controlled by the simulator hy G — {t' + 1, ... ,n}. 
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In a regular run of protocol DKG, A sees the following probability distribution 
of data produced by the uncorrupted parties: 

— Values fi{j), fi(j)A & G, j & 13, uniformly chosen in Zg (and denoted as 

Sy ,sL, resp.). 

— Values Cik,Aik,i £ G, k = 0, . . . ,t that correspond to (exponents of) coef- 
ficients of randomly chosen polynomials and for which the Eqs. 0 and 0 
are satisfied for all j G B. 



Algorithm of simulator SIM 

We denote by B the set of players controlled by the adversary, and by Q 
the set of honest parties (run by the simulator). Wlog, B = {1, • • • ,t'} and 
Q = {t' + 1, . . . ,n}, t' < t. 

Input: public key y 

1. Perform Stens ITall dl'il ou behalf of the uncorrupted players Pt'+i, • • • ,Pn 
exactly as in protocol DKG. This includes receiving and processing the 
information sent privately and publicly from corrupted players to honest 
ones. At the end of Step 0 the following holds: 

— The set QUAL is well-defined. Note that Q C QUAL and that poly- 
nomials fi{z), fi{z) for i gQ are chosen at random. 

— The adversary’s view consists of polynomials fi{z), fAA for i G B, 
the shares {sij,s'ij) = flU)) for * G QUAL, j G B, and all the 

public values Cik for i G QUAL, k — 0, . . . ,t. 

— SIM knows all polynomials fi(z), fi{z) for i G QUAL (note that for 
i G QUAL n B the honest parties, and hence SIM, receive enough 
consistent shares from the adversary that allow SIM to compute all 
these parties’ polynomials). In particular, SIM knows all the shares 
Sij,s'ij, the coefficients aik,bik and the public values Cik- 

2. Perform the following computations: 

- Compute Aik = for i G QUAL \ {n}, k = 0, .. . ,t 

- Set Ala = y- rii6(QmL\{n}) modp 

- Assign slj = Snj = fn{j) for j = 1, , t 

- Compute = (A*o)^'=“ • for A: = 1, . . . , t, where Afcds 

are the Lagrange interpolation coefficients. 

(a) Broadcast Aik for i G Q \ {n}, and A*^, for A: = 0, . . . ,t 

(b) Perform for each uncorrupted player the verifications of Eq. 0 on 
the values Aik, i G B, broadcast by the players controlled by the 
adversary. If the verification fails for some i G B,j G G, broadcast a 
complaint {sij, s'ij). (Notice that the corrupted players can publish a 
valid complaint only against one another.) 

(c) Perform Step|^of the protocol on behalf of the uncorrupted parties, 
i.e. perform reconstruction phase of Pedersen-VSS to compute Zi and 
yi in the clear for every Pi against whom a valid accusation was 
broadcast in the previous step. 

Fig. 3. Simulator for the shared key generation protocol DKG 
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Since here we are interested in runs of DKG that end with the value y as the 
public key output of the protocol, we note that the above distribution of values 
is induced by the choice (of the good players) of polynomials fi{z), i £ G, 
uniformly distributed in the family of t-degree polynomials over Zq subject to 
the condition that 



Aio = y mod p . (4) 

leQUAL 

In other words, this distribution is characterized by the choice of poly- 
nomials fi{z),fl{z) for i £ {G \ {n}) and f^iz) as random independent t- 
degree polynomials over Zg, and of fn(z) as a uniformly chosen polynomial 
from the family of t-degree polynomials over Z^ that satisfy the constraint 
/„(0) = dlogg{y) - I]jG(QraL\{n}) /i(0) mod g. (This last constraint is neces- 
sary and sufficient to guarantee Eq. P|).) Note that, using the notation of values 
computed by SIM in Step 2 of the simulation, the last constraint can be denoted 
as /„(0) = dlogg{Alo). 

We show that the simulator SIM outputs a probability distribution which 
is identical to the above distribution. First note that the above distribution 
depends on the set QUAL defined at the end of Step0of the protocol. Since all the 
simulator’s actions in StepEof the simulator are identical to the actions of honest 
players interacting with ^ in a real run of the protocol, thus we are assured that 
the set QUAL is defined at the end of this simulation step identically to its value in 
the real protocol. We now describe the output distribution of SIM in terms of t- 
degree polynomials /* and /(* corresponding to the choices of the simulator when 
simulating the actions of the honest players and defined as follows: For i £ ^\{n}, 
set /* to fi and /'* to /'. For i = n, define f* via the valued /n(0) = dlogg{A%^o) 
and fn{j) = = /n(j) , j = 1, . . . ,t. Finally, the polynomial f^* is defined via 

the relation: f*{z)+d- f!^* (z) = fn{z)+d- f^{z) mod q, where d = dlogg{h). It can 
be seen that by this definition that the values of these polynomials evaluated 
at the points j £ B coincide with the values fi{j),f[{j) which are seen by 
the corrupted parties in Step Q of the protocol. Also, the coefficients of these 
polynomials agree with the exponentials Cik published by the simulated honest 
parties in Step 1 of the protocol (i.e. Cik = where a*^. and b*^, are 

the coefficients of polynomials f*{z), f* {z), respectively, for i £ G)^ as well 
as with the exponentials Aik,i £ G \ {n} and published by the simulator 
in Step 123 on behalf of the honest parties (i.e. Aik = i £ G \ {«} and 
A* ,k = 0,... ,t) corresponding to the players’ values in Step 03 of the 

protocol. Thus, these values pass the verifications of Eq. 0 and © as in the 
real protocol. 

It remains to be shown that polynomials f* and /(* belong to the right 
distribution. Indeed, for i £ G \ {n} this is immediate since they are defined 
identically to fi and /( which are chosen according to the uniform distribution. 

^ Note that in this description we use discrete log values unknown to the simulator; 
this provides a mathematical description of the output distribution of SIM useful 
for our analysis but does not require or assume that SIM can compute these values. 
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For /* we see that this polynomial evaluates in points j = 1, . . . to random 
values {snj) while at 0 it evaluates dlogg(A’^Q) as required to satisfy Eq.0 Finally, 
polynomial f^* is defined (see above) as /(,*(z) = d~^ ■ (fniz) - f*(z)) + f^{z) 
and since fn(z) is chosen in Step 1 as a random and independent polynomial 
then so is /^*(z). 

4.2 Remarks 

Efficiency. We point out that our secure protocol does not lose much in ef- 
ficiency with respect to the previously known insecure Joint-Feldman protocol. 
Instead of Feldman-VSS, each player performs Pedersen-VSS ISteos which 
takes the same number of rounds and demands at most twice more local com- 
putation. The extraction of the public key in Step 2] adds only two rounds (one 
if no player is dishonest) to the whole protocol. We point out that all the long 
modular exponentiations needed during this extraction have already been com- 
puted during the Pedersen-VSS phase, thus Step0is basically “for free” from a 
computational point of view. 

Generation of h. The public value h needed to run Pedersen’s VSS can be easily 
generated jointly by the players. Indeed it is important that nobody knows the 
discrete log of h with respect to g. The procedure for generating h consists of a 
generic distributed coin dipping protocol which generates a random value r G Z*. 
To generate a random element in the subgroup generated by g it will be enough 
to set h = mod p where k = {p — l)/q. If does not divide p — 1 (which is 
easily checkable) then h is an element in the group generated by g. 



4.3 Other Applications of a DKG Protocol 

DKG protocols have more applications than just key generation. We sketch here 
two of these applications where previous fiawed DKG protocols were used and 
for which our solution can serve as a secure plug-in replacement. 

Randomizers in ElGamal/DSS Threshold Signatures. Signature schemes 
based on variants of the ElGamal scheme |F3GS5) . such as DSS, usually consist 
of a pair (r, s) where r = g^ for a random value k G Zq. Several robust threshold 
versions of such signature schemes have been proposed in the literature [( Wl ID 31 
In these schemes the public value r and the sharing of the secret 
value k is jointly generated by the players running a DKG protocol. Clearly, in 
order for the resulting threshold scheme to be identical to the centralized case, 
r must be uniformly distributed in the group generated by g. However, each 
of these papers uses a version of the Joint-Feldman protocol which allows an 
adversary to bias the distribution of r. Our DKG protocol fixes this problem. 

Refresh Phase in Proactive Secret Sharing and Si gnature Schemes. 

Proactive secret sharing EH,TKY95l and signature schemes !H.T,T+97| were intro- 
duced to cope with mobile adversaries who may corrupt more than t servers 
during the lifetime of the secret. In these protocols time is divided into stages. 
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with an assumption that the adversary may corrupt at most t servers in each 
stage. However in different stages the adversary can control different players. In 
order to cope with such adversaries the basic idea of proactive secret sharing 
is to “refresh” the shares at the beginning of each stage so that they will be 
independent from shares in previous stages, except for the fact that they in- 
terpolate to the same secret. This is achieved by the players jointly creating a 
random polynomial f(z) of degree t with free term 0 such that each player Pi 
holds f{i). If the share of player Pi at the previous stage was Si, the new share 
will be Si + f{i). In order to generate f{z) the players run a variation of Joint- 
Feldman where each player shares value Zi = 0. The polynomial f(z) is the sum 
of the polynomials fi{z) picked by each player (see Figure It should be clear 
that the same attack described in Section |E| to bias the free term of f{z) can 
be carried out to bias its any other coefficient. The result is that the polynomial 
f{z) generated by this refresh phase is not truly random, which implies that 
shares from different stages are not independent. Our DKG protocol fixes this 
problem as well. 

5 Enhanced Security: Partially Synchronous Model 

In the design of distributed cryptographic protocols it is often assumed that 
the message delivery is fully synchronous (see Section |2I) . This assumption is 
unrealistic in many cases where only partially synchronous message delivery is 
provided (e.g. the Internet). By partially synchronous communication model we 
mean that the messages sent on either a point-to-point or the broadcast channel 
are received by their recipients within some fixed time bound. A failure of a 
communication channel to deliver a message within this time bound can be 
treated as a failure of the sending player. While messages arrive in this partially 
synchronous manner, the protocol as a whole proceeds in synchronized rounds 
of communication, i.e. the honest players start a given round of a protocol at 
the same time. To guarantee this round synchronization, and for simplicity of 
discussion, we assume that the players are equipped with synchronized clocks. 

Notice that in a partially synchronous communication model all messages 
can still be delivered relatively fast, in which case, in every round of commu- 
nication, the malicious adversary can wait for the messages of the uncorrupted 
players to arrive, then decide on his computation and communication for that 
round, and still get his messages delivered to the honest parties on time. There- 
fore we should always assume the worst case that the adversary speaks last in 
every communication round. In the cryptographic protocols literature this is also 
known as a rushing adversary. 

Clearly the fully synchronous communication model is strictly stronger than 
the partially synchronous one, thus the previously existing DKG protocols which 
we recalled in Sectional remain insecure also in this model. In fact, the relaxation 
of the model allows stronger attacks against many of the Joint-Feldman variants. 
For example, the adversary could choose the ZiS of the dishonest players depen- 
dent on the ones chosen by the honest ones (while in the fully synchronous model 



Secure Distributed Key Generation for Discrete-Log Based Cryptosystems 309 



he is restricted to deciding whether the previously decided z^’s of the dishonest 
players will be “in” or “out” of the computation) . 

In contrast, the DKG protocol we propose in this paper is secure even in this 
more realistic partially synchronous communication setting. Intuitively, this is 
because the first stage involves an information-theoretic VSS of the Zi values. 
Thus the adversary has no information about these values and he has to choose 
the ZiS of the dishonest players in an independent fashion even if he speaks 
last at each round. When the values yi = g^' are revealed, it is too late for the 
adversary to try to do something as at that point he is committed to the Zi's 
which are recoverable by the honest players. A formal proof of security of our 
protocol in this stronger model is identical to the proof presented in Section EH 
Indeed, it can be easily verified that the proof of security carries over to the 
partially synchronous communication model basically unchanged. 

Extension to Adaptive Adversary. Recently, Enma showed a modifica- 
tion of our DKG protocol which is secure against an adaptive adversary. In this 
model the attacker can make its decision of what parties to corrupt at any point 
during the run of the protocol (while in our model the corrupted parties are fixed 
in advance before the protocol starts). The only modification to our protocol in- 
troduced in ICG,T+99l is in the y-extracting step (StepE), where they replace our 
method of publishing yi = Aio = g^' values via Feldman-VSS with the following: 
Each player broadcasts a pair (Aio,Bio) = (g°'*°,h^'°) s.t. A^o • Bio = Cio mod p, 
and proves in zero-knowledge that he knows the discrete logs DLOGg(Aio) and 
DLOGh{Bio). Proving this ensures that yi = g^\ If a player fails the proof then 
his shared value Zi is reconstructed via the Pedersen-VSS reconstruction, as in 
our DKG protocol. 

This modification turns out to suffice to make the protocol secure against 
an adaptive adversary because it allows the construction of a simulator that, at 
any point in the simulation, has at most a single “inconsistent player” . Namely, 
there is at most one player that if corrupted will make the simulation fail, while 
all other corruptions can be handled successfully by the simulator. The way 
the simulator proceeds is by choosing this “inconsistent player” at random and 
hoping the attacker will not corrupt him. If it does, the simulation rewinds to a 
previous state, a new choice of inconsistent player is made, and the simulation 
continues. It is shown in |CG.T+99j that this brings to the successful end of the 
simulation in expected polynomial-time. 

Acknowledgments. We thank Don Beaver for motivational discussions on this 
problem. 
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Abstract. We consider verifiable secret sharing (VSS) and multiparty 
computation (MFC) in the secure-channels model, where a broadcast 
channel is given and a non-zero error probability is allowed. In this model 
Rabin and Ben-Or proposed VSS and MFC protocols secure against an 
adversary that can corrupt any minority of the players. In this paper, we 
first observe that a subprotocol of theirs, known as weak secret sharing 
(WSS), is not secure against an adaptive adversary, contrary to what was 
believed earlier. We then propose new and adaptively secure protocols 
for WSS, VSS and MFC that are substantially more efficient than the 
original ones. Our protocols generalize easily to provide security against 
general Q^-adversaries. 



1 Introduction 

Since the introduction of multiparty computation |Yao82L KIMW87j . its design 
and analysis has attracted many researchers, and has generated a large body 
of results. The problem stated very roughly is the following: Consider a set of 
players each holding a private input, who wish to compute some agreed upon 
function of their inputs in a manner which would preserve the secrecy of their 
inputs. They need to carry out the computation even if some of the players 
may become corrupted and actively try to interfere with the computation. So- 
lutions to this problem have been given in various models and under different 
computational assumptions. 

One of the major components of the model is the type of adversary which 
is assumed. The adversary is the entity which corrupts a set (of size up to t) 
of players during the execution of the protocol and takes control of their ac- 
tions. Two types of adversaries have been considered in the literature (barring 
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slight variations): static adversaries and adaptive adversaries. The static ad- 
versary needs to choose the set of corrupted players before the execution of 
the protocol. The adaptive adversary on the other hand can choose the players 
during the execution of the protocol. It has been stated that the protocols of 
|BGW88lirTrTDMlR,B89LIBea91| are secure against an adaptive adversary under 
the assumption that the players communicate via secure private channels^ In 
all these results the protocols are information theoretically secure. This has led 
many to believe that if a protocol is designed which is information theoretically 
secure and is executed in a model with private channels then the resulting pro- 
tocol is immediately secure against an adaptive adversary. In the attempt to 
further our understanding of the power of these different adversaries we present 
an example of a natural protocol (which appears in |K,H89| ) which is informa- 
tion theoretically secure against a static adversary but fails against an adaptive 
adversary. 

Another important goal in the design of these protocols is to provide protocols 
which are simple, so that they could actually be implemented in practice. For the 
case where the adversary can corrupt at most a third of the players reasonable 
protocols have been proposed |Ij(IW88| . but for the case where the adversary 
can corrupt a half of the players the existing solutions were quite cumbersome 
EiSniEiaSII- In this paper we present solutions for multiparty computation 
(and for verifiable secret sharing) which are much more efficient than any existing 
protocol for the case where the adversary can corrupt up to a minority of the 
players. 

More specifically we obtain a protocol for VSS which for probability of er- 
ror with n players, requires 0{{k + logn)n^) bits of communication 

as opposed to f2{{k -I- log n)/c^n^) bits required by existing protocols. This im- 
provement is based in part on a more efficient implementation of information 
checking protocol, a concept introduced in |R,Ij89| which can be described very 
loosely speaking as a kind of unconditionally secure signature scheme. Our im- 
plementation is linear meaning that for two values that can be verified by the 
scheme, any linear combination of them can also be verified with no additional 
information. This means that linear computations can be done non-interactively 
when using our VSS in MFC, contrary to the implementation of mm (this 
property was also obtained in , but with a less efficient information check- 

ing implementation). 

An essential tool in MFC (provided in both |i-!i;.yn and |Fea91| l is a protocol 
that allows a player who has committed, in some manner, to values a, b, and c 
to show that ab = c without revealing extra information. We provide a protocol 
for this purpose giving error probability 2~^ which is extremely simple. It allows 
a multiplication step in the MFC protocol to be carried out at cost equivalent 
to 0{n) VSS’s, where all earlier protocols required 0(kn) VSS’s. 

Using methods recently developed in ICUM99I , our protocols generalize easily 
to provide security against general Q^-adversaries mm- 

^ The transformation of such protocols to the public channel model is outside the 
scope of this paper, but the interested reader can refer to lEHSHEEnsnSl- 
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Outline 

We first show that the weak secret sharing (WSS) scheme of [H.fjHDL IKab94) is 
not adaptively secure ( Section 0). In Sectional we propose an efficient implemen- 
tation of information checking, and in Section 0 a scheme for verifiable secret 
sharing (VSS) is developed. Based on these protocols, in Section |B| an efficient 
protocol for multiparty computation (MFC) is presented. Finally, in Section Qan 
efficient protocol secure against general (non-threshold) adversaries is sketched. 

2 Model and Definitions 

In this paper, we consider the secure- channels model with broadcast, i.e. there 
are n players P\, . . . , Pn who are pairwise connected with perfectly private and 
authenticated channels, and there is a broadcast channel. There is a central ad- 
versary with unbounded computing power who actively corrupts up to t players 
where t < nj2. To actively corrupt a player means to take full control over that 
player, i.e. to make the player (mis)behave in an arbitrary manner. The adver- 
sary is assumed to be adaptive (or dynamic), this means that he is allowed to 
corrupt players during the protocol execution (and his choice may depend on 
data seen so far), in contrast to a static adversary who only corrupts players 
before the protocol starts. The security of the presented protocols is uncondi- 
tional with some negligible error probability, which is expressed in terms of a 
security parameter k. The protocols operate in a finite field K = GF{q), where 
q > max(n, 2’^). 

2.1 Definition of Information Checking 

Information checking (IC) is an information theoretically secure method for 
authenticating data. An IC scheme consists of three protocols: 

Distr(D, INT , R, s) is initiated by the dealer D. In this phase D hands the secret 
s to the intermediary INT and some auxiliary data to both INT and the 
recipient R. 

AuthVal(Z/VT, i?, s) is initiated by INT and carried out by INT and R. In this 
phase INT ensures that in the protocol RevealVal R (if honest) will accept 
s, the secret held by INT. 

RevealVal(/AT, R, s') is initiated by INT and carried out by INT and R. In this 
phase R receives a value s' from INT, along with some auxiliary data, and 
either accepts s' or rejects it. 

The IC scheme has the following properties: 

Correctness: 

A. If D, INT, and R are uncorrupted, and D has a secret s then R will accept 
s in phase RevealVal. 

B. If INT and R are honest then after the phases Distr and AuthVal INT knows 
a value s such that R will accept s in the phase RevealVal (except with 
probability 2“^). 
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C. If -D and R are uncorrupted, then in phase RevealVal with probability at 
least 1 — 2“^, player R will reject every value s' different from s. 



Secrecy: 

D. The information that D hands R in phase Distr is distributed independently 
of the secret s. (Consequently, if D and INT are uncorrupted, and INT has 
not executed the protocol RevealVal, R has no information about the secret 
s.) 



Definition 1. An IC scheme is a triple (Distr, AuthVal, RevealVal) of protocols 
that satisfy the above properties A. to D. 



2.2 Definition of WSS 

An intuitive explanation for a weak secret-sharing (WSS) scheme is that it is a 
distributed analog of a computational commitment. A WSS scheme for sharing 
a secret s G K consists of the two protocols Sh and Rec. WSS exhibits the same 
properties, i.e. it binds the committer to a single value after the sharing phase Sh 
(this is equivalent to the commitment stage in the computational setting), yet 
the committer can choose not to expose this value in the reconstruction phase 
Rec (which is equivalent to the exposure of the commitments). WSS satisfies the 
following properties, with an allowed error probability 2 ~^: 



— Termination: If the dealer D is honest then all honest players will complete 
Sh, and if the honest players invoke Rec, then each honest player will com- 
plete Rec. 

— Secrecy: If the dealer is honest and no honest player has yet started Rec, 
then the adversary has no information about the shared secret s. 

— Correctness: Once all currently uncorrupted players complete protocol Sh, 
there exists a fixed value, r G K U {NULL}, such that the following require- 
ments hold: 

1. If the dealer is uncorrupted throughout protocols Sh and Rec then r is 
the shared secret, i.e. r = s, and each uncorrupted player will outputs r 
at the end of protocol Rec. 

2. If the dealer is corrupted then each uncorrupted player outputs either r 
or NULL upon completing protocol Rec. 



Definition 2. A t-secure WSS scheme for sharing a secret s G K is a pair 
(Sh, Rec) of two protocols that satisfy the above properties even in the presence 
of an active adversary who corrupts up to t players. 




Efficient Multiparty Computations Secure Against an Adaptive Adversary 315 



2.3 Definition of VSS 

An important protocol, which is widely used for multiparty computation, is 
verifiable secret sharing (VSS) [(XllVLA?^ . In essence a VSS scheme allows a 
dealer to share a secret among n players in such a way that the adversary 
that corrupts at most t of the players, obtains no information about the secret. 
Furthermore, the secret can be efficiently reconstructed, even if the corrupted 
players try to disrupt the protocol. A more formal definition is the following: 

A pair (Sh, Rec) of protocols is a verifiable secret- sharing (VSS) scheme if it 
satisfies a stronger correctness property, with an allowed error probability 2“^: 

— Correctness: Once all currently uncorrupted players complete protocol Sh, 
there exists a fixed value, r G AT, such that the following requirements hold: 

1. If the dealer is uncorrupted throughout protocol Sh then r is the shared 
secret, i.e. r = s, and each uncorrupted player outputs r at the end 
protocol Rec. 

2. If the dealer is corrupted then each uncorrupted player outputs r upon 
completing protocol Rec. 



Definition 3. A t-secure VSS scheme for sharing a secret s € K is a pair 
(Sh, Rec) of two protocols that satisfy the termination and the secrecy property 
of WSS, and the above, stronger, correctness property, even in the presence of 
an active adversary who corrupts up to t players. 



2.4 Definition of MPC 

The goal of multiparty computation (MPC) is to evaluate an agreed function 
g : AT" — > K, where each player provides one input and receives the output. 
The privacy of the inputs and the correctness of the output is guaranteed even 
if the adversary corrupts any t players. For a formal definition for security see 
fCLDOl IMbhll Eeahll KJanlMllVIfih'^ . 



3 



Adaptive Security of WSS in 



RB89 



In this section we describe a protocol which is secure against a static adversary 
yet fail against an adaptive one. The example captures nicely the power of the 
adaptive adversary to delay decisions and due to that cause different values to 
be computed during the protocol. The protocol which we examine is the weak 
secret-sharing scheme (WSS) of Rabin and Ben-Or jEMESal. The attack 
will only work when t > n/3. It is important to note that this attack applies only 
to the WSS protocol of as a stand-alone protocol, and does not apply to 

their VSS scheme, although it uses the WSS as a subprotocol. 

In order to explain the attack we present a simplified protocol of the [BB89| 
protocol which assumes digital signatures. It is in essence the same protocol but 
with many complicating (non relevant) details omitted. 
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WSS Share (Sh) 

The dealer chooses a random polynomial f{x) of degree t, such that /(O) = s 
the secret to be shared, and sends the share Si = f{i) with his signature for Si 
to each player Pi. 

WSS Reconstruct (Rec) 

1. Every player reveals his share Si and the signature on Si. 

2. If all properly signed shares sn, . . . , Sik for k >t interpolate a single polyno- 
mial f{x) of degree at most t, then the secret is taken to be /'(O), otherwise 
no secret is reconstructed. 

The definition of WSS requires that at the end of Sh a single value r G 
K U {NULL} is set so that only that value (or NULL) will be reconstructed in 

Rec. 

Clearly, if the adversary is static then the value r is set to the value inter- 
polated through the shares held by the uncorrupted players. This value is well 
defined. If there exists a polynomial f'{x) of degree t then r = /'(O) otherwise 
r is NULL. During reconstruction if r was NULL then the players will set the 
output to NULL as all the shares of the good players will be considered in the 
interpolation and possibly some additional shares from the corrupted players. If 
r was not NULL then either the additional shares provided by the faulty play- 
ers satisfy the polynomial f{x) in which case r will be reconstructed. But the 
adversary can decide to foil the reconstruction by having the corrupted players 
supply shares which do not match f {x)^ but this will only cause the players to 
output NULL but not another value r' ^ r. 

Yet, we will show that under an adaptive adversary this requirement does 
not hold in the above described protocol. The attack for n = 2t -|- 1 proceeds as 
follows: In the protocol Sh the adaptive adversary corrupts the dealer causing 
him to deviate from the protocol. The dealer chooses two polynomials }\{x) 
and f 2 {x) both of degree at most t, where /i(0) yf /2(0), and fi{i) = /2(i) for 
i = 1,2,3. For i = 1,... ,3, player Pi receives the value fi{i) (=/2(*)) ^ts his 
share, for i = 4, . . . ,t + 2, player Pi receives /i(i), and for i = t -|- 3, . . . , 2t -|- 1, 
player Pi receives /2(*) as his share. All shares are given out with valid signatures. 

In Rec the adversary can decide whether to corrupt P4 , . . . , Pt +2 thus forcing 
the secret to be /2(0), or to corrupt Pt+ 3 , ■ ■ ■ , P 2 t+i and thus force the secret to 
be /i(0). Hence it is clear that at the end of Sh there is not a single value which 
can be reconstructed in Rec. The decision on which value to reconstruct can be 
deferred by the adversary until the reconstruction protocol Rec is started. 

Therefore the basic problem with stand-alone WSS is that it is not ensured 
that all honest players are on the same polynomial immediately after distri- 
bution. But when using it inside the VSS of [RB8H| . this property is ensured 
as a side effect of the VSS distribute protocol, hence the VSS protocol works 
correctly. 
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4 The Information Checking Protocol 

In this section we present protocols that satisfy Definition ^ for information 
checking (cf. Section 12.111 . They provide the same functionality as the check vec- 
tor protocol from pHljHDI IHab94| and the time capsule protocol from EeaSa. 
However, our implementation of information checking also possesses an addi- 
tional linearity property which will be utilized later in the paper. 

The basic idea for the construction will be that the secret and the verification 
information will all lie on a polynomial of degree 1 (a line), where the secret will 
be the value at the origin. The dealer D hands to the intermediary INT two 
points on this line, and hands to the recipient R one point at a constant, but 
secret evaluation point a. This a is known to both D and i?, but is unknown to 
INT . We will say that R will accept the secret which INT gives him only if the 
point which R holds lies on the line defined by the two points he receives from 
INT. 

A general remark before we begin describing our protocols: In the following 
we adopt (for ease of exposition) the convention that whenever a player expects 
to receive a message from another player in the next step, and no message arrives, 
he assumes that some fixed default value was received. Thus we do not have to 
treat separately the case where no message arrives. 

Definition 4. A vector (x, y, z) G is la-consistent if there exists a degree 1 
polynomial w over K such that w(0) = x, w(l) = y, w{a) = z. 

Protocol Distr(D, Z/VT, i?, s): 

The dealer D chooses a random value a G AT\{0,1} and additional random 
values y,z G K such that (s,y,z) is la-consistent, and in addition he chooses 
a random la-consistent vector {s',y',z'). D sends s,s\y,y' to the intermediary 
INT and z,z' to the recipient R. 

Protocol Distr (together with RevealVal below) ensures ensures all proper- 
ties except Property B. Adding the next protocol ensures this as well, without 
affecting A, C and D. 

Protocol AuthVal(/AT, i?, s): 

1. INT chooses a random element d G K and broadcasts d, s' + ds,y' + dy. If 
D observes that these values are incorrect, he broadcasts s, y. This counts 
as claiming that INT is corrupt. In this case the protocol ends here, and the 
broadcasted values will be used in the following. R will adjust his value for 
z, such that {s,y,z) is la-consistent. 

2. R checks if (s' -I- ds, y' -I- dy, z' -I- dz) is la-consistent. He broadcasts accept or 
reject accordingly. If D observes that R has acted incorrectly, he broadcasts 
z,a. This counts as claiming that R is corrupt. In this case the protocol 
ends here, and the broadcasted values will be used in the following. INT will 
adjust his value for y, such that (s,y,z) is la-consistent. 
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3. If R rejected (and D did not claim him faulty) in the previous step, D must 
broadcast s,y, and the broadcasted values will be used in the following. R 
will adjust his value for z, such that {s,y,z) is la-consistent. 

Protocol RevealVal(Z/VT, i?, s): 

1. INT broadcasts (s,y). 

2. R verifies that (s,y,z) is la-consistent and broadcasts accept or reject ac- 
cordingly. 

Lemma 1. The protocols (Distr, AuthVal, RevealVal) described above satisfy Def- 
inition^ for information checking fSection \2. 1\) . 

Proof. We show that each property is satisfied: 

A. It is clear that if all parties are honest, R will accept, and D will never 
broadcast any values. 

B. The property is trivial in the cases where D broadcasts s, y or z, a. So it is 
enough to show that if D sends an inconsistent (s, j/, z) initially, then R re- 
jects with high probability. However, if for e ^ d, both {s' -\-ds,y' -\-dy, z' -\-dz) 
and (s'-l-es, y' -\-ey, z' -\-ez) are la-consistent, then their difference and hence 
also {s,y,z) is la-consistent. By the random choice of d it follows that R 
will accept with probability at most 1/|AT| whenever {s,y,z) is inconsistent. 

C. This property will follow from the fact that INT does not know a. Actually, 
we will show it holds, even if D uses the same a in all invocations of the 
protocol. We will exploit this property later. First note that INT learns no 
information on a from the Distr, AuthVal protocols: what he gets in Distr 
has distribution independent of a. In AuthVal, if he sends correct values, he 
knows in advance they will be accepted; if he doesn’t, he knows that D will 
complain. Note also that this holds even if we consider many invocations of 
the authentication protocol together. Thus, all INT knows about a a priori 
is that it can be any value different from 0, 1, and all candidates are equally 
likely. 

Consider now the position of INT just before the opening of the first s- 
value. If he sends the correct s,y, or changes one of the values, he knows 
in advance R’s reaction and so learns nothing new. If he sends s',y' where 
s' ^ s,y' yf y, then R will accept if (s',y',z) is la-consistent. We know 
that (s,y,z) is la-consistent by its definition, thus so is (s — s',y — y',0). 
This gives a non-trivial degree 1 equation from which a can be computed. 
In other words, INT must guess a to have R accept a false value. He can do 
this with probability at most 1/(|AT| — 2). On the other hand, if R rejects, 
all INT knows is that the solution to the equation is not the right value, so 
it can be excluded. 

It follows by induction that if at most i values are opened, at least \K\ — £—2 
candidates for a remain from the point of view of /AT, and no false values 
have been accepted, except with probability at most // {\K\ — £ — 2). In the 
application to VSS, £ will be linear in n, so the error probability is at most 

2~ fc+0(log n) 
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D. If H and INT remain honest and R is corrupt, we must show that R does not 
learn s ahead of time. Observe that in the authentication protocol, R learns 
z, z' , d, s' + ds, y' + dy. Note that since D and INT are honest, R knows in 
advance that (s' + ds, y' + dy, z' + dz) will be la-consistent. He can therefore 
compute y' -I- dy from z, z' , d, s' + ds, and this value can be deleted from his 
view without loss of generality. However, it is clear that z, z' , d, s' -I- ds has 
distribution independent of s. 



Linearity of the IC Protocol 

In our multiparty computation protocol we would like to be able to authenticate 
a linear combination of two values. The setting is as follows: D, R and INT 
have executed both protocols Distr and AuthVal for two different values si and 
S 2 - Now they wish to reveal a linear combination of these two secrets without 
exposing si and S 2 and without carrying out any additional verification. This 
can be achieved if for both invocations of the IC protocol the dealer chooses 
the same value a as the random evaluation point which he gives to R. Then all 
the properties of the protocol still hold with the addition that the appropriate 
linear combination of the verification data yields a verification for the linear 
combination of si and S 2 - 



IC- Signatures 

In the sequel we will want to use the information checking protocol as semi 
“digital signatures”. When a person receives a digital signature from a signer, 
he can later show it to anyone and have that person verify that it is in fact a 
valid signature. This property can be easily achieved with information checking, 
by carrying out the protocol with all players as explained bellow. We do not 
achieve all properties of digital signatures, but enough in order to achieve our 
goals. 

The IC-Signatures will be given in the following way. Protocol Distr will be 
carried out by the dealer D with intermediary INT and the receiver being each 
player Pi, . . . , P„, each with respect to the same value s. Next, the AuthVal pro- 
tocol will be performed by INT and each player Pi. Then, in protocol RevealVal, 
INT will broadcast s and the authentication information, and if t -I- 1 players 
accept the value s then we shall say that the “signature” has been confirmed. We 
shall call these signatures IC-signatures. These signature enable D to give INT 
a “signature” which only INT can use to convince the other players about the 
authenticity of a value received from the dealer. Thus, we use these IC-signatures 
as signatures given specifically from D to INT, and we denote such a signature 
as as{D,INT). 



5 Verifiable Secret Sharing 

We now present our simplified VSS protocol. The protocol is based on the bivari- 
ate solution of Feldman |FM88I (omitting the need for error correcting 
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codes) . The protocol will use our new variant of information checking which will 
provide us with high efficiency. 

Definition 5. A vector (eo,... ,e„_i) € is t-consistent if there exists a 
polynomial w{x) of degree at most t such that w{i) = Ci for 0 < i < n. 

The intuition behind the construction is that the secret will be shared using 
an n X n matrix of values, where each row and column is t-consistent, and where 
row and column i is given to player Pi. Thus, for i ^ j, Pi and Pj share two 
values in the matrix. The dealer will commit himself to all the values by signing 
each entry in the matrix. The row determines by simple interpolation a share of a 
single variate polynomial. Thus, de facto the dealer has given player Pi a signed 
share, Si. The players can now check consistency of the matrix by comparing 
values between them and expose inconsistent behavior by the dealer using the 
signatures. Hence we are guaranteed that all the values held by (yet) uncorrupted 
players are consistent and define a single secret 0 In order to also have the share 
of player Pi signed (implicitly) by the other players, player Pi gets the share 
in his row signed by player Pj. Now this in return will prevent the adversary 
from corrupting the secret at reconstruction time. 

VSS Share (Sh) 

1. The dealer D chooses a random bivariate polynomial f{x,y) of degree at 
most t in each variable, such that /(0,0) = s. Let Sij = f{i,j). The dealer 
sends to player Pi the values aii=su^ . . . , a„i=s„i and 6ii=Sii, . . . , bin=Sin- 
For each value aji, bij D attaches a digital signature (Jaji (D, Pi), Uf,.. (D, Pi). 

2. Player Pi checks that the two sets an, . . . , Uni and bn, . . . , bin are t-consistent. 
If the values are not t-consistent. Pi broadcasts these values with D’s signa- 
ture on them. If a player hears a broadcast of inconsistent values with the 
dealer’s signature then D is disqualified and execution is halted. 

3. Pi sends aji and a signature which he generates on , aa^iiPi, Pj) privately 
^oPj. 

4. Player Pi compares the value aij which he received from Pj in the previ- 
ous step to the values bij received from D. If there is an inconsistency. Pi 
broadcasts bij,at,ij {D, Pi). 

5. Player Pi checks if Pj broadcasted a value bji,ai,.^{D,Pj) which is differ- 
ent than the value aji which he holds. If such a broadcast exists then Pi 
broadcasts aji, (Jaji {D, Pi). 

6. If for an index pair {i,j) a player hears two broadcasts with signatures from 
the dealer on different values, then D is disqualified and execution is halted. 

VSS Reconstruct (Rec) 

1. Player Pi broadcasts the values bn, . . . , bi„ with the signature for value 
which he received from player Pj. (If he did not receive a signature from 
Pj in the protocol Sh then he had already broadcasted that value with a 
signature from D.) 

^ So far, this results in a WSS which is secure against an adaptive adversary. 
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2. Player Pi checks whether player Pj’s shares broadcasted in the previous step 
are t-consistent and all the signatures are valid. If not then Pj is disqualified. 

3. The values of all non-disqualified player are taken and interpolated to com- 
pute the secret. 

Theorem 1. The above protocols (Sh, Rec) satisfy Definition\^for VSS proto- 
cols. 

Proof. We prove that each required property is satisfied: 

Secrecy. Observe that in Steps I2H0I the adversary learns nothing that he was 
not already told in Step 1. Thus the claim follows immediately from the 
properties of a bi-variate polynomial of degree t and the properties of the 
information checking. 

Termination. From examining the protocol it is clear that the dealer D can be 
disqualified only if the data which he shared is inconsistent, assuming that 
the players cannot forge any of the dealers signatures, of which there are 
0(n). Thus, an honest dealer will be disqualified at most with probability 
Q(2-fc+iog"). 

Correctness. First we will show that a fixed value r is defined by the distribu- 
tion. Define r to be the secret which interpolates through the shares held by 
the set of the first t-|-l players who have not been corrupted during Sh. Their 
shares are trivially t-consistent, and with probability at least 1— 
there are correct signatures for these shares, and thus they define uniquely 
an underlying polynomial f'{x,y) as well as a secret r = /'(0,0). Let us 
look at another uncorrupted player outside this set. He has corroborated 
his shares with all these t -\- 1 players and has not found an inconsistency 
with them. Moreover, this player has also verified that his row and column 
are t-consistent. Hence, when this player’s shares are added to the initial 
set of players’ shares the set remains t-consistent, thus defining the same 
polynomial f and secret r. Now we examine the two correctness conditions: 

1. It is easy to see that if D is uncorrupted then this value r = s. 

2. A value different than r will be interpolated (or the reconstruction will 
fail) only if a corrupted player would be able to introduce values which 
are inconsistent with the values held by the honest players. A corrupted 
player succeeded doing it only when he was not disqualified in Step|21 of 
the reconstruction procedure. This means that he was able to produce 
a set of n values which are t-consistent, and for each value to have a 
signature from the appropriate player to which it relates. Clearly, t-|- 1 of 
these signatures must be from still uncorrupted players. We have already 
shown that these players’ shares lie on f'{x,y), thus if the corrupted 
player’s shares are t-consistent they must lie on f'{x, y) as well. Therefore 
the adversary cannot influence the value of the revealed secret. 

□ 

Efficiency. By inspection of the VSS distribution protocol Sh, one finds that 
field elements are distributed from D, and each of these are authenticated 
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using Distr and AuthVal a constant number of times. Executing Distr and AuthVal 
requires communicating a constant number of field elements for each player, and 
so we find that the total communication is 0{{k + logn)n^) bits, for an error 
probability of 

6 Multiparty Computation 

Based on the VSS scheme of the previous section, we now build a multiparty 
computation protocol. Based on the p3(lW8R| paradigm it is known that it is 
sufficient to devise methods for adding and multiplying two shared numbers. 

Note that in our case (contrary to e.g. [B(fW88j ~l a VSS of a value a consists 
not only of the shares oi,... ,a„ where Qi is held (in fact implicitly) by Pi, 
it is explicitly held by Pi via the subshares an,. . . , am where is held also 
by player Pj, and Pi has a IC-signature from Pj on that value. This structure 
and the IC-signatures are required for the reconstruction. Thus, if we wish to 
compute the sum/multiplication of two secrets we need to have the resultant in 
this same form. 

We will prove the following theorem in the next two subsections. 

Theorem 2. Assume the model with a complete network of private channels 
between n players and a broadcast channel. Let C be any arithmetic circuit over 
the field K, where \K\ > max{n,\ogk) and k is a security parameter. Then 
there is a multiparty computation protocol for computing C, secure against any 
adaptive adversary corrupting less than n/2 of the players. The complexity of this 
protocol is Ofn?\C\) VSS protocols with error probability where \C\ 

is the number of gates in C. This amounts to 0{\C\kn^) bits of communication. 

6.1 Addition 

Addition is straightforward: For two secrets a and b shared with (implicit) shares 
ai, . . . ,Qn and b\, . . . , all the subshares, and their appropriate IC-signatures, 
each player Pi needs to add his two (implicit) shares ai and bi which means that 
he needs to hold a IC-signature from Pj for a^- -I- bij. But this is immediately 
achieved as the sum of two IC-signatures results in an IC-signature for the sum 
of the values signed. Thus, we have computed the addition of two shared secrets. 

6.2 Multiplication 

Multiplication is slightly more involved. Assume that we have two secrets a and 
b with (implicit) shares ai, . . . , a„ and bi, . . . ,bn and all the subshares and their 
appropriate IC-signatures. We apply the method from [CR.R98| . This method 
calls for every player to multiply his shares of a, resp. b and to share the result of 
this using VSS. This results in n VSS’s and a proper sharing of the result c can 
be computed as a fixed linear combination of these (i.e. each player computes 
a linear combination of his shares from the n VSS’s). Since our VSS is linear, 
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like the one used in mm, the same method will work for us, provided we 
can show that player Pi can share a secret Ci using VSS, such that it will hold 
that Ci = Qibi and to prove that he has done so properly. If Pi fails to complete 
this process the simplest solution for recovery is to go back to the start of the 
computation, reconstruct the inputs of Pj, and redo the computation, this time 
simulating Pi openly. This will allow the adversary to slow down the computation 
by at most a factor linear in n. 

In order to eliminate subindices let us recap our goal stated from the point 
of view of a player D. He needs to share a secret c using VSS which satisfies that 
c = ab. The value a is shared via subshares ai, . . . , Un (lying on a polynomial 
fa, say) where Ui is held by player Pi and D holds an IC-signature of this value 
from Pi. The same holds for the value b (with a polynomial /(,). 

1. D shares the value c = ab using the VSS Share protocol. Let fc be the 
polynomial defined by this sharing^ 

2. D chooses a random f} £ K and he shares (3 and (3b. The sharing of these 
values is very primitive. D chooses a polynomial f/ 3 {x) = (3tx* + . . . + (3\X + (3 
and gives player Pi the value f/s(i) and an IC-signature on this value. A 
player complains if he did not receive a share and a signature, and the dealer 
exposes these values. The same is done for /36 (with a polynomial // 3 b). 

3. The players jointly generate, using standard techniques, a random value r, 
and expose it. 

4. D broadcast the polynomial fi{x) = rfa{x) + ffd{x). 

5. Player Pi checks that the appropriate linear combination of his shares lies on 
this polynomial, if it does not he exposes his signed share // 3 (i) and requires 
the dealer to expose the IC-signature which the dealer holds generated by 
Pi for the value ai. If the dealer fails then D is disqualified. 

6. If the dealer has not been disqualified each player locally computes ri = 

/i(0). 

7. D broadcasts the polynomial J 2 {x) = rifi,{x) — fj 3 b{x) — rfc{x). 

8. Each player checks that the appropriate linear combination of his shares lies 
on this polynomial, if it does not he exposes his signed share // 3 b(t) and fc{i) 
and requires the dealer to expose the IC-signature which the dealer holds 
generated by Pi for the value 6/. If the dealer fails then D is disqualified. 

9. If D has not been disqualified Pi verifies that / 2 (D) = 0, and accepts the 
sharing of c, otherwise D is disqualified. 

The security of the protocol is guaranteed by the following lemma. 

Lemma 2. Executing the above protocol for sharing c = ab does not give the 
adversary any information that he did not know before. 

Proof. Wlog we can assume that the dealer is honest. Thus all the values revealed 
during the protocol look random to the adversary (except for the polynomial /2 
which is a random polynomial such that /2(0) = 0). Therefore the adversary 
learns nothing. □ 

^ Note that fc is not the bivariate polynomial directly constructed by D rather it is 
the univariate polynomial defined by the implicit shares of c. 
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Lemma 3. If c ^ ab in the above protocol, then the probability that the dealer 
succeeds to perform the above is at most 

Proof. Suppose there exist two distinct challenges r\ and r[ such that if any 
of them is chosen in Step 0 then L> is not disqualified in the next rounds. 
Step 0 guarantees that honest players have consistent shares of f^, since we 
open fi and we know fa is consistent. So there is a well-defined value (3 shared 
by fp. In the same way Step 0 guarantees that is consistent, so it defines 
some value z (which may or may not be (3b). Now from Step 0, r\ = ra + j3 and 
r( = r'a + f3, so from Step0, we get {ra + (3)b + z + rc = 0 = (r'a -|- /3)6-|- z-|-r'c 
and we conclude that ab = c. □ 

7 General Adversaries 

It is possible to go beyond adaptive security against any dishonest minority, 
by considering general, i.e. not necessarily threshold adversaries |HMh7j . The 
corruption capability of such an adversary is specified by a family of subsets of 
the players, where the adversary is restricted to corrupting one of these sets - 
dishonest minority is clearly a special case. Our results in this paper extend to 
the general scenario, following ideas developed in !CDM99| . 

First, by replacing Shamir secret sharing by monotone span program (MSP) 
secret sharing [KW93] in our VSS, we immediately obtain WSS protocols secure 
against any Q^-adversary |HM97| . with communication and computation poly- 
nomial in the monotone span program complexity of the adversary |CDM99j . A 
Q^-adversary is an adversary who is capable of corrupting only subsets of players 
in a given family of subsets, where no two subsets in the family together cover 
the full player set. 

The reason why the generalized protocol is only a WSS and not a VSS is that 
for a general linear secret sharing scheme, a qualified subset of shares define 
uniquely the secret, but NOT necessarily the entire set of shares (in contrast 
with what is the case for Shamir’s threshold scheme). 

However, building on the linearity of this WSS and monotone span program 
secret sharing, we can still construct efficient VSS (with negligible, but non-zero 
error) secure against any Q^-adversary. 

Roughly speaking, the idea (taken from |( ;i JIVI99j ) is that the dealer will use 
WSS to commit to his secret and the set of shares. He can then convince the 
players that this was done correctly. This amounts to showing a number of linear 
relations on committed values, which is easy by linearity of the WSS. Finally, 
each commitment to a share is privately opened to the player that is to receive 
it. 

The resulting VSS enables multi-party computation secure against any Q^- 
adversary if we base the construction of VSS on a so called MSP with multipli- 
cation |CDM99j . Such an MSP always exists, and can be chosen to have size at 
most twice that of a minimal MSP secure against the adversary. As far as gen- 
eral adversaries are concerned, security against Q^-adversaries is the maximum 
attainable level of security. 
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This construction gives a VSS with complexity 0{{k + logn)nm^) bits, where 
m is the size of the monotone span program. In some independent work Smith 
and Stiglic^SHHl present a somewhat similar idea, which however results in a 
less efficient protocol {0{k"^{k + \ogn)nm^) bits) because they directly apply the 
ideas from to EM, i.e. replace in EM Shamir’s secret sharing 

by the monotone span programs with multiplication from ICUlVlDHl . 
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Abstract. This work describes schemes for distributing between n ser- 
vers the evaluation of a function / which is an approximation to a random 
function, such that only authorized subsets of servers are able to compute 
the function. A user who wants to compute f(x) should send x to the 
members of an authorized subset and receive information which enables 
him to compute f(x). We require that such a scheme is consistent, i.e. 
that given an input x all authorized subsets compute the same value 

fix)- 

The solutions we present enable the operation of many servers, prevent- 
ing bottlenecks or single points of failure. There are also no single entities 
which can compromise the security of the entire network. The solutions 
can be used to distribute the operation of a Key Distribution Center 
(KDC). They are far better than the known partitioning to domains or 
replication solutions to this problem, and are especially suited to handle 
users of multicast groups. 



1 Introduction 

A single server that is responsible for a critical operation is a performance bottle- 
neck and a single point of failure. A common approach for solving this problem 
is the use of several replicated servers. However this type of solutions degrades 
the security of the system if the servers should store secrets (e.g. keys) which are 
required for cryptographic operations. A solution to both the availability and 
the security problems is to design a system whose security is not affected if a 
limited number of servers are broken into (see Section II .m for a discussion of the 
availability and security issues for KDCs). 

The problem of distributing the evaluation of trapdoor functions for public 
key cryptography was extensively investigated (see e.g. \l'!Ml(fZ'l{^ ) . However, 
the problem of distributing the functions needed for private key cryptography, 

* Research supported by an infrastructure research grant of the Israeli Ministry of 
Science. 

** Research supported by an Eshkol Fellowship of the Israeli Ministry of Science. 

* * * Research supported by a Clore Scholars award and an Eshkol Fellowship of the Israeli 
Ministry of Science. 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. .127- Tn71 1999. 

© Springer- Verlag Berlin Heidelberg 1999 



328 Moni Naor, Benny Pinkas, and Omer Reingold 



in particular the distribution of the evaluation of pseudo-random functions, was 
neglected (an exception is the work of El). Threshold evaluation of random- 
like functions is required for seemingly unrelated applications, for example for 
secure and efficient metering of web usage El, for threshold evaluation of the 
Cramer-Shoup cryptosystem and for the applications we discuss in this 
paper (in particular, distributed KDCs and long-term repository for encrypted 
data). These applications require that the protocol for the collective function 
evaluation does not invovle communication between the parties which evaluate 
the function. This requirement is not satisfied by most threshold constructions 
for public key cryptography. 

This work describes schemes for distributing between n servers the evaluation 
of a function / which is an approximation to a random function, such that only 
authorized subsets of servers are able to compute the function. A user who 
wants to compute f{x) should send x to the members of an authorized subset 
and receive information which enables him to compute f{x). We require that 
such a scheme is consistent, i.e. that given an input x all authorized subsets 
compute the same value f{x). 

Distributed and consistent evaluation of pseudo-random functions is useful 
for many applications. The consistency property is especially useful for the fol- 
lowing three types of applications: 

(i) A distributed KDC system (DKDC), in particular for multicast commu- 
nication. We describe this application in detail in Section [Q 

(ii) Long-tem encryption of information, where a user might want to encrypt 
personal information and keep the decryption keys safely distributed between 
many servers (see Section II .311 . 

(ill) A realization of a Random Oracle or of a beacon El that generates ran- 
domness which should be shared by remote parties and used in a cryptographic 
protocol. 

We introduce the notion of a Distributed Pseudo-Random Function (DPRF). 
We describe several constructions of approximations to random functions which 
are useful for many of the applications of a DPRF. A threshold DPRF (depicted 
in Figure Q) is a system of n servers such that any k of them can compute the 
function /, but breaking into any k — 1 servers does not give any information 
about / (for instance think of a system with n = 20 servers and a threshold of A: = 
3). The servers could be distributed across the network, and a party can contact 
any k of them in order to compute /. If several parties need to compute / for the 
same input they are not required to contact the same k servers but rather each 
party can contact a different set of k servers (e.g. those to which it has the best 
communication channels). Furthermore, to reduce the latency of the computation 
a party can contact the k servers in parallel. We also support DPRFs based 
on general monotone access structures PCT rather than on threshold ones. 
There are several scenarios where general access structures might be preferable 
to threshold access structures (e.g. to allow efficient implementations of quorum 
systems m which enable fast revocation). 
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Fig. 1. A Distributed Pseudo-Random Function System. 



Our constructions can be further amended to be robust against servers which 
send incorrect data to users who approach them, (the robustness is based either 
on error-correcting mechanisms or on proof techniques) . The constrcutions can 
also be further improved to ensure proactive security (see 1 1 Ij and references 
therein for a general discussion of proactive security), which provides automatic 
recovery from break-ins: The servers perform some periodic refreshment of their 
secrets (e.g. once a day), and as a result only an adversary which breaks into k 
servers in the same period can break the security of the system. 



1.1 Our Solutions for a Threshold Access Structure 

It is unknown how to perform a threshold evaluation of a pseudo-random func- 
tion without requiring heavy communication between the servers for each given 
input. Lacking a general construction we describe three different approximations 
of DPRFs with a threshold access structure. 

The first construction generates / as an £-wise independent function. It pro- 
vides information theoretic security as long as an adversary does not obtain £ 
different values. The scheme is very efficient and requires only multiplications 
in a small finite field (which essentially should only be large enough so that a 
random element in it can be used as a key for a private-key encryption scheme) . 
The parameter £ can therefore be set to be rather large (even several millions). 

The second construction is based on a computational assumption: the deci- 
sional Difhe-Hellman assumption (see [Oj ) . However the resulting function is only 
weakly pseudo-random, i.e. it is pseudo-random as long as the inputs on which 
it is evaluated are pseudo-random. The construction requires a user to compute 
0{k) exponentiations in order to compute the function’s output, and a server 
should compute only a single exponentiation in order to serve a user. The first 
two constructions can be easily amended to provide proactive security. 

The third construction is based on a monotone CNF formula realizing the 
threshold fc-out-of-n function. This construction computes a full-fledged pseudo- 
random function and its security depends only on the existence of pseudo-random 
functions. It can also be adapted to any access structure. Its drawback is that 
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it is only efficient for moderate values of n and small values of k, and we do not 
know how to enhance it to obtain proactive security. 

The constructions and their properties are summarized in Tabled 





Efficiency 


Pseudo 

randomness 


Number of 
evaluations 


Proactive 

security 


Robust. 


General 

access 


Awise ind. 


efficient poly 


strong 


limited 


yes 


yes 


yes 


DDH 


expensive poly 


weak 


unlimited 


yes 


yes 


yes 


CNF 


exponential 


strong 


unlimited 


no 


yes 


yes 



Table 1. A comparison of the threshold schemes. 



DPRFs for general access structures: We present constructions of DPRFs 
based on any monotone access structure. For example, an access structure based 
on a quorum system allows for fast user revocation by accessing the servers 
which are members of a single quorum. Our constructions are based either on 
monotone symmetric branching programs (contact schemes), or on monotone 
span programs. 



1.2 Application to Key Distribution — DKDCs 

A Key Distribution Center (KDC): A popular approach for generating 
common keys between two parties without using public key cryptography is by 
using a three-party trust model which includes a trusted key distribution center 
(KDC). In networks which use a KDC there is a dedicated key between the KDC 
and each of the members of the network. Denote by ku the key between the KDC 
and party u. This is the only key that u has to store. Very informally, when two 
parties (e.g. u and v) wish to communicate, one of them approaches the KDC 
which then provides a random key, ku,v, and sends it to each of the two parties, 
encrypted with their respective secret keys (i.e. Ek^(ku,v) (the encryption of k^^v 
with the key k^) is sent to party u, and Ek^(ku,v) is sent to v). The parties can 
now communicate using the key k^^v This approach was initiated by Needham 
and Schroeder in 1978 m and is widely implemented, most notably in the 
Kerberos system (see e.g. 123 ). Bellare and Rogaway 0 give a complexity- 
theoretic treatment of this model, and present a provably secure protocol for 
session key distribution based on the existence of pseudo-random functions. 

The approach of using a KDC is appealing since each party should only store 
a single key and when a new party is introduced there is no need to send keys 
to other parties. However there are various problems in using KDCs, which are 
due to the fact that a KDC is a single point of failure: 

— Security: The KDC knows all the keys that are used in the system, and if 
it is broken into the security of the entire network is compromised. 
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— Availability: (i) The KDC is a performance bottleneck, every party has 
to communicate with it each time it wishes to retrieve a key. (ii) When 
the KDC is down or unreachable no party can obtain new keys for starting 
conversations on the network, (iii) The availability problem is amplified when 
trying to use a KDC to generate keys for multicast communication (i.e. to 
be shared by more than two parties), since all the relevant parties have to 
contact a single KDC. 

In order to address these problems the common practice is to use multiple 
KDCs. However, the known solutions are far from being perfect: (i) The secu- 
rity problem is addressed by dividing the network into different domains and 
dedicating a different KDC to each domain. When a KDC is broken into only 
the domain to which it belongs is compromised. However, the management of 
inter-domain connections is complicated and a KDC still holds all the secrets of 
its domain, (ii) The availability problem is reduced by replicating the KDC and 
installing several servers each containing all the information that was previously 
stored in the KDC. This improves the availability but decreases security: there 
are multiple sensitive locations and breaking into any of these replicated KDCs 
compromises the security of the network. There is also an additional problem of 
reliably synchronizing the information that is stored in the different copies. 

Multicast communication: The availability problem is relevant to unicast com- 
munication between two parties but is even more severe for multicast communi- 
cation. Multicast communication is sent to a (potentially large) number of par- 
ties. Typical applications are the transmission of streams of data (such as video 
streams) to large groups of recipients, or an interactive multiparty conference. 
The large (exponential) number of groups in which a party might participate 
prevents it from storing a key for each potential group. On the other hand, the 
large number of parties which might require the service of the KDC worsen the 
availability problem. For example, imagine a source which transmits many video 
channels over the Internet, with hundreds of thousands of receivers all over the 
world. A single KDC cannot handle requests from all these receivers. Alterna- 
tively, consider a multinational company which uses a single KDC for providing 
keys for virtual meetings of its employees. If some offices are disconnected from 
the KDC then users in these offices cannot even obtain keys for virtual meetings 
between themselves. 

A Distributed KDC — DKDC: A DPRF can be used to construct a Dis- 
tributed KDC (DKDC). A DKDC consists of n servers and a user should k 
of them in order to obtain a key. The servers are responsible for a consistent 
mapping between key names and key valued Each KDC server should operate 
as a server in the distributed evaluation of the pseudo-random function /. The 
key for a certain subset S of users is defined as ks = f{S). This approach is 
especially useful for generating keys for multicast groups with many members. 

^ Of course, consistency does not prevent groups of users from using different keys at 
different times (session keys), if this is desired. 
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Each member might approach a different authorized subset of the KDCs and 
it is guaranteed that every user obtains the same key. It is also useful to use 
this construction to generate keys for unicast communication if each of the two 
parties prefers to access a different subset of KDCs. 

Key granting policy: When a user requests a key from a KDC the KDC should 
decide whether the user is entitled to receive this key. The question of how this 
decision is made is independent of this work. 

One appealing approach is when a group name is derived from the identities 
of its members and then servers can easily verify whether a user that asks for 
a key is part of the group of users that use the key. This method is good for 
“mid-sized” groups. For larger groups the group name can be generated by a 
method based on hash trees, and then a user can efficiently prove to a server 
that it is part of a group. 

Another appraoch introduces an interesting billing mechanism for multicast 
transmissions with fc-out-of-n DKDCs: the user is required to pay each server 
\jk of the payment needed for accessing the transmission, and to receive in 
return the information the server can contribute towards the reconstruction of 
the decryption key. 

1.3 Long-Term Encryption of Information 

Suppose one wishes to store encrypted information so that it remains safe for 
many years. A problem that immediately arises is where to store the keys used for 
the encryption so that they would not be leaked or lost. Note that the question 
of storing keys safely arises in many other scenarios, e.g. 0. One possibility is 
to use a DPRF as a long term key repository. We add to the system a collection 
of n servers that act as the servers of the DPRF. These servers are trusted in 
the sense that no more than k of them become faultjfl. We should also have 
some way to specify the policy determining who is allowed to decrypt the file, 
as the system is likely to be used by many users. We assume that the DPRF 
has ways to check whether a user is allowed to obtain information with a given 
policy (this is orthogonal to the issue at hand) . 

In order for a user to encrypt a file X and decryption policy specified by 
who, it does the following 

— Choose an encryption key r for a conventional encryption scheme G and 

encrypt the file with key r. Let Y = Gr(X). 

— Compute h = H{Y) where iJ is a collision intractable hash function. 

— Apply to the DPRF to obtain s = f{ho who) 

— Put Y in the long term storage together with who and s 0 r. 

To decrypt an encrypted file Y with policy who and encrypted key s': 

— Compute h — H{Y). 

— Apply the DPRF to obtain s = f{h o who) 

— Decrypt Y with key s 0 s' to G. 

^ In this case the desirability of proactive security is evident since the assumption is 
that no more than k are broken into at any given period. 
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Note that we do not require the servers of the DPRF to store anything in 
addition to their keys. All information related to the file can be stored at the 
same place. Also note that in order combat changes to the stored information 
one should use parts of s as an authentication key to Y and r. 

1.4 Related Work 

DPRF systems perform multi-party computations. The generic solutions of 
EMI for multiparty computations are inefficient for this application (even 
when applied to the relatively simple pseudo-random functions of m. see dis- 
cussion there). In particular, they require communication between the servers 
which are involved in the evaluation of the function. Their security is also only 
guaranteed if less than one third (or one half in the passive model) of the servers 
are corrupted. 

There has been a lot of work on designing and implementing KDCs. A good 
overview of this work can be found in f‘27) and a formal treatment of the problem 
is given in P). Most of this work was for a trusted party which generates a key 
“on-the-fly” , i.e. where consistency of the key is not required. While this model 
may be more relevant to unicast it is less applicable when more than two parties 
are involved. 

Naor and Wool m considered a different scenario for protecting databases, 
and when adapted to our scenario their solution is one where the servers are 
trusted never to reveal their secret keys, but some of them might not have re- 
ceived updates regarding the permissions of users (which is a weaker assumption 
than regarded in this paper). 

Our first two constructions are similar in nature to the constructions of Naor 
and Pinkas for metering schemes m- The problem they considered was to en- 
able a server to prove that it served a certain number of clients (a representing 
application might be to meter the popularity of web sites in order to decide on 
advertisement fees). In general, not every solution for the metering problem is 
relevant to the construction of a DPRF (for example, the output of the metering 
computation should be unpredictable whereas the output of a DPRF should be 
pseudo-random). The metering constructions achieve better robustness against 
transmission of corrupt proof components than the robustness of our DPRF 
schemes against corrupt key components. On the other hand the metering con- 
structions do not provide proactive security (due to the lack of communication 
channels between clients in that model) whereas we present very efficient proac- 
tive enhancements to the DPRF schemes. 

Micali and Sidney showed how to perform a shared evaluation of a 
pseudo-random function with a non-tight threshold. They provided a lower 
bound and a non-optimal probabilistic construction which is relevant only for 
small values of k and n. We describe an deterministic construction for the sharp 
threshold case which matches their lower bound. 

Gong [2SI considered a problem related to the DKDC application: a pair of 
users A and B each have private channels to n servers, and would like to use 
them to send a secret and authentciated message from Ato B (e.g. a key which 
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they will later use). Some of the servers might be corrupt and might change the 
messages they are asked to deliver (this problem is similar to that considered 
by Dolev et al m since each server is essentially a faulty communication link). 
Gong’s scheme requires A to send through each server a message of length 0{n) 

2 Definitions 

2.1 The Model 

The following model is used throughout this work. 

Setting: We consider a network of many users (clients), which also contains n 
servers Si. .. . , S'„. Each user u has a private connection with each of at least k 
servers (in all but the proactive solutions these channels can be realized using 
symmetric encryption. A future work m describes how to efficiently maintain 
these channels in the proactive model). 

Initialization: At the initialization stage each server Si receives some secret 
personal key ai which it would use in its subsequent operation. It is possible 
that the values were generated by a central authority from a system 

key a. If this is the case then a is erased at the end of the initialization stage. 
Preferably, the servers perform a short joint computation which generates the 
values {ai}2^i, such that no coalition C of k — 1 servers can use its values to 
learn anything about Ou if rt ^ C. This prevents even a temporary concentration 
of the system’s secrets at a single location. 

Regular operation: A party u that wants to compute f{x), operates as follows: 

— It contacts k servers, , . . . , Si ^ , and sends to each of them a message 
(u,x). 

— Each server Si verifies that u is entitled to compute f{x). If so, it computes 
a function F{ai,x), and sends the result to u through their private channel. 

— u computes f{x) from the answers it received using a function G, namely it 
computes f{x) = G{h,F{ai^,x), . . . ,F{aif^,x)). 



2.2 Requirements 

There are two approaches to approximating random functions: pseudo-random- 
ness and (.-wise independence. We present approximations to DPRFs which fol- 
low both these directions. 

Loosely speaking, pseudo-random distributions cannot be efficiently distin- 
guished from uniform distributions. However, pseudo-random distributions have 
substantially smaller entropy than uniform distributions and are efficiently sam- 
pleable. Pseudo-random function ensembles, which were introduced in m , are 
distributions of functions. These distributions are indistinguishable from the 
uniform distribution under all (polynomially-bounded) black-box attacks (i.e. 
the distinguisher can only access the function by adaptively specifying inputs 
and getting the value of the function on these inputs). Goldreich, Goldwasser, 
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and Micali provided a construction of such functions based on the existence of 
pseudo-random generators. See for further discussions and exact defini- 

tions of pseudo-random functions. 

We also use £-wise independent functions. Their difference from a pseudo- 
random function is that more than £ values of an f-wise independent function 
are not “random looking” (however, a set of at most £ values is completely 
random rather than pseudo-random). 

In a DPRF the ability to evaluate the function is distributed among the 
servers. The process that is performed by the servers can be defined as k-out-of- 
n threshold function evaluation. 

Definition 1 (/c-out-of-n threshold evaluation of a pseudo-random func) . 

Let Tm = {fa} be a family of pseudo-random functions with security parameter 
m, keyed by a. A k-out-of-n computation of £Fm is a triple of polynomial time 
functions {S,F,G) (the key sharing, share computation and construction func- 
tions), such that 

— For every fa G Fm, S{a) = {a\, . . . ,an), such that 

— For every I < ii <■■■< ik < n, G{{ii, F{a^^,x)), . . . ,{ik,F{ai^^,x))) = 
fa{x). And, 

— For every 1 < < • • • < ik-i < n, given {ai^}jZl, and given a set Y of 

polynomially many values (where the inputs in Y were chosen adaptively, 
possibly depending on {c(ij}jZi)> values {fa{y),{F{ai,y)}(;^i) for 

every y G Y, the restriction of the function fa to inputs which are not in Y 
is pseudo-random. 

The definition of fc-out-of-n threshold evaluation of an £-wise independent func- 
tion is similar, except that Fm is a family of f-wise independent functions, and 
it is required that given the computation process of any £ — \ function values, 
any remaining value is uniformly distributed. 

The most important requirement of fc-out-of-n threshold function evaluation 
is that the output of / be consistent. The protocol might be considered as a 
special case of multi-party computations . However although it might not 

be obvious from first reading, our definition includes several efficiency restrictions 
which do not exist in the definition of multi-party computations and which are 
actually not satisfied by the constructions of j25ltil 1 4j (their constructions are 
also for a joint computation by n parties, and are secure only against coalitions 
of less than n/2 or n/3 parties. Our requirement is for a joint computation by fc 
parties and security against fc — 1 servers, where fc might be any number up to 
n). The efficiency requirements, which we explicitly state below, are needed to 
minimize the communication overhead which is often the most important factor 
of the system’s overhead. The efficiency requirements are: 

Communication pattern: In the process of computing f{x) there is no com- 
munication between the servers. The only communication is between the servers 
and the party that computes f{x). 

Single round: There is only a single round of communication between the 
servers and the user. The user can send queries to the servers in parallel, i.e. 
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there is no need to wait for the answer from one server before sending a query 
to another server. 

Obliviousness: The query to one server does not depend on the identities of 
the other servers which the user queries. This requirement is important if the 
user might find (while in the middle of the process of querying the servers) that 
some of the servers to which it applied are malfunctioning. 

Additional requirements can be considered as security optimizations to the 
original definition. They are not obligatory, but improve the quality of a DPRF 
construction: 

Robustness: If a server is controlled by an adversary it might send to the user 
corrupt information which prevents the user from computing the correct value. 
It is preferable if the user can identify when such an event happens. 

Proactive security (or, Resilience to prolonged attacks): Proactive security 
enables a system to maintain its overall security even if its components are 
repeatedly broken into. Systems with proactive security typically use a security 
parameter k and are secure as long as less than k system components are broken 
into in the same time period (see fl] for a discussion of proactive security) . 

3 The Threshold Constructions 

3.1 £-wise Independence Based on Bivariate Polynomials 

The first construction is based on a generalization of the secret sharing scheme of 
Shamir to bivariate polynomials. It is a threshold construction of an £-wise 
independent function. The scheme can be used to generate more than i values 
as long as it is guaranteed that no adversary will get hold of £ values. It is not 
necessarily decided in advance which values will be generated by the scheme. 

Setting: The family T is the collection of all bivariate polynomials P{x,y) 
over a finite field 7t, in which the degree of a; is fc — 1 and the degree of y is 
£ — 1. The key a defines an element faGif{a consists of the k£ coefficients of 
the polynomial). The output of the function is an element in the field TL. All the 
arithmetic operations performed by the scheme are over 7t. 

Initialization: (we describe here an initialization by a central authority, later 
we also describe how the servers can perform a distributed initialization). The 
initializer of the system chooses a random key a which defines a random poly- 
nomial P{x,y) from T. Each server Si receives the key ai = Qi{y) — P{i,-), 
which is an £ — 1 degree polynomial in y. 

Operation: The value f{h) is defined as f{h) = P{0,h). Consider a user that 
wishes to compute this value. Say the user approaches server Si, then it should 
send him the information (3i^h = F{oti,h) = Qi{h) = P(i,h). After receiving 
information from k servers Si-^ , ■ ■ ■ , Sif. the user can perform a polynomial in- 
terpolation through the points {{ij, Pij,h)}j^i and compute the free coefficient 
of the polynomial Qh{x) = P{-, h), namely the value f{h) = P{0, h). 

The following points can be easily verified: (i) The scheme implements the 
definition of A:-out-of-n evaluation of an Awise independent function, (ii) In a 
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DKDC application the size of an element in the field 71 should be the length of 
the required key and can therefore be rather small (e.g. 128 bits). The scheme 
can be therefore used to produce a large number of keys (e.g. £ = 10®). 

Several modifications can enhance the above scheme: (i) Proactive security 
can be easily obtained, see Section 0 (ii) In order to reduce the complexity of 
the polynomial interpolation it is possible to use several polynomials of smaller 
degree and map keys to polynomials at random, (iii) It is possible to perform a 
distributed initialization of the polynomial P, and then the system’s secrets are 
never held by a single party. The initialization is performed by several servers 
which each define a bivariate polynomial, and the polynomial used by the system 
is the sum of these polynomials. Only a coalition of all these servers knows shares 
of other servers. The initialization uses a new verification protocol we discuss in 
Section 0 

Robustness: A simple and straightforward procedure to verify that a user is 
receiving correct information from servers, it to require the user to get shares 
from k' > k servers and use the error-correction properties of Reed-Solomon 
codes to construct the correct share (see e.g. m)- 

3.2 Distributed Weak PRFs Based on the DDH Assumption 

In this section we describe a different kind of approximation for a DPRF : we show 
a way to distribute a weak pseudo-random function pnuzi. A function / is a weak 
PRF if it is indistinguishable from a truly random function to a (polynomial- 
time) observer who gets to see the value of the function on any polynomial 
number of uniformly chosen inputs (instead of any inputs of its choice). The 
definition of fc-out-of-n threshold evaluation of a weak pseudo-random function / 
is similar to Definition 0 The only difference is that we require that given the 
computation process of / on any polynomial number of uniformly chosen inputs, 
the value of / on any additional uniformly chosen input is indistinguishable from 
random (this implies that / remains a weak pseudo-random function) . 

The main advantage of a distributed weak PRF compared with distributed 
£-wise independent function is that the former is secure even when the adver- 
sary gets hold of any polynomial number of values. However, constructing a 
distributed weak PRF requires some computational intractability assumption 
(in particular, the existence of one-way functions). The specific construction de- 
scribed here relies on the decisional version of the Diffie-Hellman assumption 
(which we denote as the DDH assumption). This construction is rather attrac- 
tive given its simplicity. 

The applicability of weak pseudo-random function: Any distributed weak 
pseudo-random function / can be transformed to a DPRF by defining f'{x) = 
f{RO{x)), where RO is a random oracle (i.e., a random function that is publicly 
accessible to all parties as a black-box; see 0). Therefore, if one postulates the 
existence of random oracles then the construction we present below can be used 
for all the applications of DPRFs. However this construction may be applicable 
even without the use of random oracles. Consider for example the application of 



338 Moni Naor, Benny Pinkas, and Omer Reingold 



DKDCs for multicast communication. Here there may be several scenarios where 
a distributed weak pseudo-random function is sufficient. One such scenario is 
when there exists a public mapping H that assigns random names to groups of 
users. The key of a group can be the value of the distributed function applied 
to the group’s name. It is conceivable that group names are chosen by some 
trusted party (or by a distributed protocol between several parties), and kept in 
some (possibly duplicated) publicly available server. In fact, using the specific 
functions described below is secure as long as some member of the group chooses 
the group name as g'" and proves that it knows r. 

In the scheme we describe below, the user who computes the function / 
should perform k exponentiations. This overhead is larger than that of a Difhe- 
Hellman key exchange. However, the overhead is justified even for the DKDC 
application, since the Difhe-Hellman key exchange protocol cannot be used to 
solve the availability and the security requirements that underline our solution 
of a consistent distribution of a KDC (and are especially important for multicast 
communication) . 

Related distributed solutions were previously suggested for discrete-log based 
signatures (e.g. ^'4)- The novelty in our work is the fact that we prove the 
pseudo-randomness of the evaluated function. 

Setting and Assumptions: The scheme is defined for two large primes P 
and Q such that Q divides P — 1, and an element g of order Q in Zp. The 
values P, Q and g are public and may either be sampled during the initialization 
or fixed beforehand. We assume that for these values, the decisional version 
of the Difhe-Hellman assumption (DDH-Assumption) holds. I.e., that given a 
uniformly distributed pair {g°‘, g^), it is infeasible to distinguish between g‘^'^ and 
a uniformly distributed value g‘^ with non-negligible advantage. For a survey on 
the application of the DDH-Assumption and a study of its security see [H] . 

The functions and their initialization: The family T is keyed by a uniformly 
distributed value a G Zg. For simplicity, we dehne the function /„ over (g) 
(where (g) denotes the subgroup of Zp generated by g)0. The function fa is 
defined by \/x G (g), fa{x) x°‘ mod P. 

The value a is shared between the servers using the secret sharing scheme 
of Shamir P!: The initializer of the system chooses a random polynomial P(-) 
over Zg of degree k — 1 such that P(0) = a. Each server Si receives the key 
ai = P{i). To facilitate robustness, the initializer also makes the values g“ 
and {g“*}(Li public. It is also possible to let the servers perform a distributed 
initialization of /. 

Operation: Consider a user that wishes to compute fa{h) and approaches a 
set of k servers Each such server Si sends to the user the information 

® In fact, one can define /4 over Zp by setting fa{x) = fa{x') where x' = 
j.(e-i)/Q p jf jg a weak PRF then so is /4 since: (1) If x is uniform in 

Zp then x' is uniform in (g). (2) For any x' G (g) one can efficiently compute a 
uniformly chosen ((P — l)/Q)-th root of x' . Computing such roots is possible by a 
generalization of Tonelli’s algorithm presented by Adleman, Manders and Miller (see 
Q for a survey on this subject). 
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Pi,h = F{ai,h) = fai{h) = /i“‘. After receiving information from the k servers 
the user can perform a polynomial interpolation through the points in 

the exponent of h. I.e he can compute 

/„(h) = 

iGJ iGJ 

where all exponentiations are in Zp and the values are the appropriate 

Lagrange coefficients. 

It is easy to verify that querying any k servers for the value fa^ (h) results in 
the same final value fa{h). Memory requirements from each server are minimal 
(i.e. storing a single value in Zg). In order to serve a user each server should 
perform a single modular exponentiation in Zp. A user is required to perform k 
modular exponentiation in Zp. 

The security of the scheme is proved by the following theorem. 

Theorem 2. If the DDH- Assumption holds then the above scheme is a k-out- 
of-n threshold evaluation of a weak pseudo-random function. 

Proof Sketch: For clarity, we ignore at first the issue of corrupted servers and 
just prove that if the DDH- Assumption holds then if = {fa} is a, family of weak 
pseudo-random functions. Let D be an efficient algorithm that gets the value of 
fa on q — 1 uniformly chosen inputs xi, . . . Xq-i and distinguishes fa{xq) from 
random with advantage e (where Xq is also uniformly distributed) . We construct 
an algorithm A that breaks the DDH-Assumption: 

On input (( 7 “, , z), the algorithm A first samples random values {ri}1Zo (in 

{1, . . . Q}). Then A invokes D and returns its output on the input {{qi, fa{gi))}jZo 
and the additional pair of values {xq = g^,z). Where for each i, qi = g’'* (and 
therefore fa{gi) = 5 “ ’^* can be evaluated by A). It is easy to verify that the 
advantage A has in distinguishing between the case that z is uniform in [g] and 
the case the 2 ; = 5 “'^ is at least e. 

We now need to show that no coalition of fc — 1 corrupt servers 5^ , . . . , 
can break the threshold scheme. The reason this holds is that such k — 1 servers 
can be simulated by the algorithm D described above. To do so, D samples the 
secret values of the k—1 servers (i.e., oq , . . . , ) by itself. Let P be the degree 

k — 1 polynomial that interpolates these values and a. Define Uj = P{j). D can 
evaluate every g°‘^ using interpolation in the exponent of g and can therefore 
evaluate all the values / q,j. (gi). □ 

Robustness: Since the values {g°‘*}i=i are public each server can prove the cor- 
rectness of any answer fa^ (x) = x°‘* . This can either be done by a zero-knowledge 
variant of Schnorr’s proof for the value of the Difhe-Hellman function or 

by the non-interactive version that uses random-oracles. 

It is possible to perform a distributed initialization of the scheme, secure 
against corrupt servers (even if their only goal is to disrupt the operation of the 
system rather than to learn keys), and to achieve to achieve proactive security 
for the scheme. 



340 



Moni Naor, Benny Pinkas, and Omer Reingold 



3.3 DPRFs Based on Any Pseudo-random Function 

The following scheme can use any family of pseudo-random functions, but since 
its overhead for the k-ont-of-n access structure is it is useful only if the 

total number of servers n is moderate and the threshold k is small. 

Setting: Define d = and define the d subsets as all the subsets 

of n — A: -|- 1 of the n servers. 

Let J^rn be a collection of pseudo-random functions with security parameter 
m. The key a is a d-tuple (ai,... , a^) of elements from {!,... ,\TmW, and 
defines a d-tuple {fan ■ ■ ■ , fad) of elements from Tm- The function fa is defined 

as fa{x) = ®'j=ifaj{x). 

Initialization: A random key a is chosen. We would like that for every 1 < 
j < d, all the servers in subset Gj would receive the key to the function fa^ ■ 
Therefore for every server Si, at = {aj\i G Sj}. Note that the union of the keys 
of any k servers covers a and is therefore sufficient to compute fa- 
Operation: The DPRF system would provide the value fa{h) = ®j^ifaj{h)- 
When a user approaches a server Si, and the server approves of the user com- 
puting f{h), it should send to the user the information {faj{h)\aj G ai}. I.e., the 
server should provide to the user the output of all its functions on the input h. 
After approaching k servers, the user has enough information to compute fa{h). 

For any coalition of fc — 1 serves there is a subset Gj which does not contain 
any member of the coalition and thus the coalition members cannot compute 
faj ■ Therefore it is straightforward to prove that the construction is a fc-out-of-n 
evaluation of a pseudo-random function. The number of functions which each 
server should be able to compute is and the total number of functions 

is d = {jffi)- Therefore the scheme cannot be used for systems with a large 
threshold. However, for a moderate n and a small k the overhead is reasonable 
(e.g. for n = 50 and /c = 4, d = 19, 600 and a server should compute 4, 606 
functions). 

Note that the user receives the value of functions fa^ from more than a single 
server. Therefore if the user sends to servers the identities of the other servers 
which it approaches, the communication overhead is reduced if a a simple map- 
ping is used to ensure that the output of each function is sent once. Alternatively 
the data redundancy can be used to provide robustness against corrupt servers 
that send incorrect data to users. 

Generalization: The scheme can be generalized to any access structure. The 
construction we used corresponds to a monotone CNF formula which contains 
all clauses of n — (fc — 1) out of n elements. A similar formula can be used to 
realize any access structure. The total number of pseudo-random functions used 
is the number of clauses in the monotone CNF formula. 

Comparison to previous work: Micali and Sidney nq considered more gen- 
eral access structures: they defined an {n,t,u) -resilient collection (with t <u < 
n) which enables any subset of u (out of n) parties to perform the computation, 
while no subset of t parties has this ability. We are interested in a sharp thresh- 
old, which provides the best security, and therefore require that k = u = t -\- 
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Micali and Sidney proved a lower bound of fo'' the number of 

functions in an (n, t, u)-resilient collection, and used the probabilistic method to 
show the existence of a construction which is In (") times larger than the lower 
bound. Our deterministic construction (for the sharp threshold case) matches 
their lower bound, and is therefore optimal. 

4 General Access Structure KDCs 

4.1 Using Monotone Symmetric Branching Programs 

We present here generalizations of the threshold schemes to access structures 
based on monotone symmetric branching programs. In Section 14.21 we describe 
constructions for access structures based on monotone span programs. This is a 
further generalization in that any linear secret sharing scheme can be simulated 
by a monotone span program of the same size (the converse is also true, i.e. 
any monotone span program can be simulated by a linear secret sharing scheme 
of the same size, see |3|). However, the constructions of this section are more 
efficient (especially for the DH based constructions), as described below. 

The application of monotone symmetric branching programs (also called 
monotone undirected contact schemes, and switching networks) to secret sharing 
was suggested by Benaloh and Rudich mm and enables to construct a secret 
sharing scheme for any monotone access structure (the question is the size of 
the shares). We first present the computational model of monotone symmetric 
branching programs and then a corresponding DPRF construction. 

Monotone symmetric branching programs: Let G = (V, E) be an undi- 
rected graph, 'ip : E 1 -^ {1, ..., n} he a, labeling of the edges, and s, t be two spe- 
cial vertices in V. A monotone symmetric branching program is defined as a tuple 
{G, 'ip, s, t) and has boolean output. Given an input x = {x\, . . . , Xn} & {0, 1}”, 
define Gx as the graph Gx = (V,Ex), where Ex = {e\e G A, a;,/,(e) = 1}. The 
output of the program is 1 if and only if Gx contains a path from s to t. 

A DPRF construction: It is possible to construct DPRFs which are either 
Gwise independent or weakly pseudo-random, based on monotone symmetric 
branching programs. A user would have to receive information from a subset of 
the servers whose characteristic vector corresponds to a “1” output of the mono- 
tone symmetric branching program in order to obtain the required value. We 
present here the £-wise independent construction. Note that the corresponding 
DH construction is more efficient than with monotone span programs since it 
requires only multiplications and not exponentiations. 

Initialization: A monotone symmetric branching program which realizes the re- 
quired access structure is constructed. A random polynomial Pg of degree I — 1 
is associated with the node s. The values distributed by the system are defined 
as f{h) = Ps{h). A random polynomial Py of degree — 1 is associated with 
any other vertex v, except for the vertex t to which the polynomial = 0 is 
assigned. Every edge e = {u, v) is associated with the polynomial Pe = Pu — Pv 
Server Si is given the all the polynomials associated with the edges which are 
mapped to i (edges e for which 'ip{e) = 1). 
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Reconstruction: A user which wants to obtain value f{h) should contact a priv- 
ileged subset of the servers. Each server Si which is approached by the user and 
approves of him evaluating f{h) should provide it with the values {Pe{h) \ ip{e) = 
i\. If the user receives information from a privileged subset it can sum the values 
that correspond to a path from s to t and get Ps{h). 

Quorum systems: A Quorum system is a collection of sets (quorums), every 
two of which intersect (see PS] for a discussion and some novel constructions 
of quorum systems with optimal load and high availability). A DPRF with an 
access structure in which every privileged set must contain a quorum has several 
advantages regarding its maintenance: for example, if a user should not be al- 
lowed to compute / it is only required to inform all the servers in a single quorum 
of this restriction, and then every privileged set of servers contains at least one 
server which will refuse to serve that user. DPRFs with access structures based 
on the paths quorum system m can be efficiently realized by the constructions 
we presented in this section. 

Efficiency: The reconstruction of the secret in the Difhe-Hellman variant we 
presented here requires the user to perform multiplications. It is more efficient 
than the reconstruction for the monotone span programs based Difhe-Hellman 
scheme we present in Section 14. 21 which requires the user to perform exponenti- 
ations. 

General prf: Note that a direct use of pseudo-random functions instead of the 
polynomials or of the Difhe-Hellman construction is insecure. The reason is that 
an edge (u, v) is associated with a function /„ — /„ and since there is no concise 
representation for this function which hides /„ and fy the server which is mapped 
to the edge should get both functions /„ and fy. Subsequently, the server can 
compute fu{x) or fy{x) and not just fu{x) — fv{x). Therefore a server which 
is mapped to an edge which touches s has the ability to compute by itself the 
value of the shared function. 



4.2 Using Monotone Span Programs 

It is possible to construct DPRFs with access structures which are realized by 
monotone span programs. Monotone span programs (MSPs) were introduced by 
Karchmer and Wigderson m and their corresponding secret sharing schemes 
are equivalent to linear secret sharing schemes in the sense that any secret 
sharing scheme in one of these classes can be realized by a scheme of the same 
size in the other class, see 0 for details. Recently MSPs were used by Cramer, 
Damgard, and Maurer m to construct multi-party computation protocols for 
general monotone sets of subsets of players, any one of which may consist of 
cheaters. We first present the computational model of monotone span programs 
and then a DPRF construction. 

Monotone span programs: A monotone span program is defined by a triple 
{K, M, ijj) as follows. Let K he a finite field and let M he a matrix with d rows 
and e columns, and entries in K. The rows of M are labeled by a mapping 
to server identities, ip : {!,... , d} {1, • ■ • , n}. For a subset A C {1, . . . , n}. 
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define Ma as the matrix consisting of the rows of M which are labeled with 
i £ A, and let (1a be the number of rows in this matrix. 

Let e = (1,0,... ,0) S iL® be the target vector (e can be replaced by any non- 
zero vector in K^). An MSP computes a boolean function / : {0,...l}" {0)1} 

defined by • ■ • ,Xn) = 1 if and only if e is in the Image of M\, where 

A= {i\xi = 1}”. That is, if there is a linear combination of the <1a rows labeled 
with an i for which Xi = 1, that equals the target vector e. It is known that any 
monotone boolean function can be computed by an MSP (and the question is 
what size). 

A DPRF construction: The construction is based on the MSP secret sharing 
scheme. We can achieve either £-wise independence or weak pseudo-randomness. 
A user would have to receive information from a subset of the servers which 
corresponds to a “1” output of the MSP in order to obtain the required value. 
Following we present the DH based construction. 

Initialization: An MSP which realizes the required access structure is constructed. 
All operations are performed over an appropriate field. A vector of random values 
a = {oi, . . . , Oel is associated with the columns of M . The function computed 
by the system is defined as f{h) = /i“L 

Server Si is given the share Si = Mpjd, which is a vector of length dpj, the 
number of rows in Mpp 

Reconstruction: A user which wants to compute f{h) should contact a privileged 
subset of the servers. Each server Si which is approached by the user and ap- 
proves of computing f{h) should provide him with the values |h^|/3 £ (i.e. 

h raised to the power of each of the coordinates of Si). . If the user receives 
information from a privileged subset then there is a linear combination in the 
exponents which obtains f(h) = . The user can perform exponentiations and 

multiplications to compute this combination. 



5 Proactive Security 

Proactive security enables a system of servers to automatically recover from 
repeated break-ins while preserving its security. The servers perform a periodical 
mutual refreshment of their secrets, and security is preserved as long as not too 
many servers are broken into between two refreshments (see El for a survey 
of proactive security) . We can amend our schemes with proactive security while 
preserving consistency. The value of f{x) computed in two different requests 
would still be the same, even if several refreshment phases pass between the two 
requests. 

The periodic refreshment requires communication between the servers, which 
is a new requirement for DPRFs. Alternatively, the refreshment can be controlled 
by a single secure server which is the only party sending refreshment information 
to servers. The system is kept secure as long as there is no break-in to this server, 
but since this server can be highly guarded (e.g. kept off-line at all times except 
for refreshment phases) this scenario seems reasonable. 
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We describe very briefly how proactive security is obtained. The periodic 
refreshment phases employ techniques which are common in proactive refresh- 
ments, and a novel method for verifying that the refreshment values sent by each 
server are indeed correct . In the refreshment of the £-wise independent construc- 
tion, k servers S\, . . . ,Sk should each generate a random bivariate polynomial 
Pl(x,y), subject to the constraint P/(0, •) = 0. Server Si sends to each other 
server Sj the restriction of its polynomial to a; = Sj, i.e. Pl{Sj,-). The new 
polynomial of each server is the sum of its old polynomial with all the new 
polynomials it receives. 

The servers should run a verification protocol for the values they receive in 
the refreshment phase, in order to verify that S\, . . . , Sk send shares of polyno- 
mials of the right degrees which are 0 for a; = 0. This is essentially a verifiable 
secret sharing (VSS) protocol. It is possible to use a VSS protocol which is very 
efficient in both its computation and communication requirements. Very briefly, 
the verification is done by choosing a random point c, and requiring each Si to 
broadcast Pf{-,c). Each server should verify that Pf{0, c) = 0 and that the share 
it received agrees with this broadcast. Note that unlike the verification proto- 
cols of [tifiO] this protocol does not require communication between each pair 
of servers. The random point c can be chosen in a very natural way, it can be 
defined as a value of the previous polynomial at a point which is only evaluated 
after the servers send the refreshment values. 

Application to distributed initialization: The initialization of the sys- 
tem can be performed in a distributed manner. It is then required to verify that 
servers that participate in this process do not send incorrect data which would 
disrupt the operation of the system, i.e. that they send shares of polynomials of 
the right degrees. This verification can be performed very efficiently using the 
above protocol and a broadcast channel (note that it is not required to verify 
that the value of the polynomial is 0 for a; = 0). The choice of the random point 
should be done by a distributed protocol which generates several values, where 
at least one of the values is guaranteed to be random. 

Future Work 

The most obvious open problem is coming with a construction which has all 
the properties of a DPRF, i.e. of a function which is strongly pseudo-random 
and can be evaluated a polynomial number of times. Another interesting line 
of research is the design of oblivious DPRFs, in which the servers do not learn 
what is the input x for which the user wants to compute f{x). Note that the 
oblivious polynomial evaluation protocols of P3] are probably too expensive 
since the number of l-out-of-2 oblivious transfers is linear in the degree of the 
polynomial. 
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Abstract. This paper describes new methods for fast correlation at- 
tacks, based on the theory of convolutional codes. They can be applied 
to arbitrary LFSR feedback polynomials, in opposite to the previous 
methods, which mainly focus on feedback polynomials of low weight. 
The results improve significantly the few previous results for this general 
case, and are in many cases comparable with corresponding results for 
low weight feedback polynomials. 

Keywords: Stream ciphers, Correlation attacks. Convolutional codes. 



1 Introduction 

A binary additive stream cipher is a synchronous stream cipher in which the 
keystream, the plaintext and the ciphertext are sequences of binary digits. The 
output of the keystream generator, zi,Z2, - ■ ■ is added bitwise to the plaintext 
sequence mi, m2, . . . , producing the ciphertext ci, C2, . . . . Each secret key k as 
input to the keystream generator corresponds to an output sequence. Since the 
secret key k is shared between the transmitter and the receiver, the receiver can 
decrypt, and obtain the message sequence, by adding the output of the keystream 
generator to the ciphertext, see Figure 1 . 



keystream 


Zl,Z2, . . . 


generator 





mi, m2, . . . 






Cl, C2, . . . 



Fig. 1. Principle of binary additive stream ciphers 
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The goal in stream cipher design is to efficiently produce random-looking se- 
quences that in some sense are “indistinguishable” from truly random sequences. 
From a cryptanalysis point of view, a good stream cipher should be resistant 
against a known-plaintext attack. In a known-plaintext attack the cryptanalyst 
is given a plaintext and the corresponding ciphertext, and the task is to deter- 
mine a key k. For a synchronous stream cipher, this is equivalent to the problem 
of finding the key k that produced a given keystream zi, Z 2 , ■ ■ • ,zn- Through- 
out this paper, we hence assume that a given keystream zi, Z 2 , . . . , zn is in the 
cryptanalyst’s possession and that cryptanalysis is the problem of restoring the 
secret key. 

In stream cipher design, one usually use linear feedback shift registers, LF- 
SRs, as building blocks in different ways, and the secret key k is often chosen to 
be the initial state of the LFSRs. 

There are several classes of general cryptanalytic attacks against stream ci- 
phers |0|. In our opinion, the most important class of attacks on LFSR-based 
stream ciphers is correlation attacks. Basically, if one can in some way detect a 
correlation between the known output sequence and the output of one individual 
LFSR, this can be used in a “divide-and-conquer” attack on the individual LFSR 
jr.ai 3IYiR] . There is no requirement of structure of any kind for the key genera- 
tor. The only thing that matters is the fact that, if ui, U 2 , . . . denotes the output 
of the particular LFSR, we have a correlation of the form P{ui = Zi) yf 0.5, see 
Figure 2. 




Fig. 2. A sufficient requirement for a correlation attack, P{ui = Zi) yf 0.5. 



A “textbook” methodology for producing random-like sequences from LFSRs 
is to combine the output of several LFSRs by a nonlinear function / with desired 
properties. Here / is a binary boolean function in n variables. The purpose is 
to destroy the linearity of the LFSR sequences and hence provide the resulting 
sequence with a large linear complexity [H]. This is depicted in Figure 3. 

It is worth noticing that there always exists a correlation between the output 
Zi and either one or a set of M LFSR output symbols {wf 
in the model above. It is well known that if / is a (M — l)-resilient (but not 
M-resilient) function then there is a correlation which can be expressed in the 
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Fig. 3. Principle of nonlinear combination generators 



form P{z, = + • • • + 



(i2) 



(iu) 



) ^ 0.5. It is also known that there is a 



tradeoff between the resiliency and the nonlinearity of /, and hence M must be 
rather small m 

Returning to the previously mentioned correlation attacks, the above overview 
demonstrates that finding a low complexity algorithm that successfully can use 
the existing correlation in order to determine a part of the secret key can be a 
very efficient way of attacking such stream ciphers in cryptanalysis. After the 
initializing ideas of Siegenthaler , Meier and Staffelbach m found a very 

interesting way of exploring the correlation in a fast correlation attack provided 
that the feedbaek polynomial of the LFSR has a very low weight. This work was 
followed by several papers, providing minor improvements to the initial results 
of Meier and Staffelbach, see [1 0111211 T| . For a recent application, see m How- 
ever, the algorithms that are efficient (good performance and low complexity) 
still require the feedback polynomial to be of low weight. Due to this require- 
ment, it is today a general advise when constructing stream ciphers that the 
generator polynomial should not be of low weight. 



The problem addressed in this paper is the problem of constructing algo- 
rithms achieving the similar performance and similar low complexity as men- 
tioned above but for any feedback polynomial. The new algorithms that we pro- 
pose are based on an interesting observation, namely that one can identify an 
embedded low-rate convolutional code in the code generated by the LFSR se- 
quences. This embedded convolutional code can then be decoded with low com- 
plexity, using the Viterbi algorithm. From the result of the decoding phase, the 
secret key can be obtained. These algorithms provide a remarkable improve- 
ment over previous methods. As a particular example taken from consider 
a LFSR of length 40 with a weight 17 feedback polynomial, and an observed 
sequence of length 4 • 10® bits. Let 1 — p be the correlation probability. Then the 
algorithm in PE] and the improvement in m are successful up to p < 0.104 
and p < 0.122, respectively, whereas the proposed algorithm is successful up to 
more than p < 0.4 with similar computational complexity. 



The paper is organized as follows. In Section 2 we give some preliminaries on 
the decoding model that is used for cryptanalysis, and in Section 3 we shortly 
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review some previous algorithms for fast correlation attacks. In Section 4 we 
present our new ideas and give a description of the proposed algorithm. In Sec- 
tion 5 the simulation results are presented, and finally, in Section 6 we give some 
conclusions and possible extensions. 



2 Preliminaries 



Consider the model shown in Figure 2. As most other authors 113171811(111 . we 
use the approach of viewing the problem as a decoding problem. Let the LFSR 
have length I and let the set of possible LFSR sequences be denoted by £. 
Clearly, |£| = 2* and for a fixed length N the truncated sequences from £ is 
also a linear [iV, block code p], referred to as C. Furthermore, the keystream 
sequence z = z\,Z 2 , ■ ■ ■ ,zn is regarded as the received channel output and the 
LFSR sequence \i = u\,U 2 , ■ ■ ■ , un is regarded as a codeword from C. Due to the 
correlation between Ui and Zi, we can describe each Zi as the output of the binary 
symmetric channel, BSC, when Ui was transmitted. The correlation probability 
1 — p, defined by 1 — p = P(ui = Zi), gives p as the crossover probability (error 
probability) in the BSC. W.l.o.g we can assume p < 0.5. This is all shown in 
Figure 4. 



LFSR 



BSC 




Fig. 4. Model for a correlation attack 



The cryptanalyst’s problem can be formulated as follows. Given a length 
N received word (zi, Z 2 , . . . Zat) as output of the BSC(p), find the length N 
codeword from C that was transmitted. 

From simple coding arguments, it can be shown that the length N should be 
at least around Aq = ~ ^{p)) for unique decoding, where h{p) is the binary 

entropy function. If the length of the output sequence N is modest but allows 
unique decoding, say N = Nq + D, where D is a constant, the fastest methods 
for decoding are probabilistic decoding algorithms like Leon or Stern algorithms 
^I15j . 

For received sequences of large length, N ^ fast correlation attacks 
PB| are sometimes applicable. These attacks resemble very much the iterative 
decoding process proposed by Gallager |2I for low- weight parity-check codes. 
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Due to the fact that the above attacks require the feedback polynomial g{x) (or 
any multiple of g{x) of modest degree) to have a low weight, one usually refrain 
from using such feedback polynomials in stream cipher design. 



3 Fast Correlation Attacks — An Overview 



In [7 IS) Meier and Staffelbach presented two algorithms, referred to as A and 
B, for fast correlation attacks. Instead of an exhaustive search as originally sug- 
gested in H31, the algorithms are based on using certain parity check equations 
created from the feedback polynomial of the LFSR. All different algorithms for 
fast correlation attacks use two passes. In the first pass the algorithms find a 
set of suitable parity check equations in the code C stemming from the LFSR. 
The second pass uses these parity check equations in a fast decoding algorithm 
to recover the transmitted codeword and hence the initial state of the LFSR. 

The set of parity check equations that was used in PHI was created in two 
separate steps. Let g{x) = l + gix^+g 2 x‘^ + . . .+gix’’ be the feedback polynomial, 
and t the number of taps of the LFSR, i.e., the weight of g{x) (the number of 
nonzero coefficients) is t -I- 1. Symbol number n of the LFSR sequence, Un, can 
then be written as Un = giUn-i + g 2 Un -2 -I- ... -I- giUn-i- Since the weight of 
g{x) is f -|- 1, there are the same number of relations involving a fixed position 
Un- Hence, we get in this way t -I- 1 different parity check equations for 

Secondly, using the fact that g{xy = g{xy for j = 2®, parity check equations 
are also generated by repeatingly squaring the polynomial g{x). So if go(x) = 
g{x), we create new polynomials by gk+i{x) = gk{xY, k = 1, 2, ... . This squaring 
is continued until the degree of a polynomial gk{x) is greater than the length 
N of the observed keystream. Each of the polynomials gk {x) are of weight t+1 
and hence each gives t -I- 1 new parity check equations for a fixed position u„ ■ 

Combining this squaring technique with shifting the set of equations in time, 
the same parity check equations are essentially valid in each index position of u. 
From PHI the number of parity check equations, denoted m, that can be found 
in this way is m « log(|j)(t -I- 1), where log uses base 2. 

In the second pass, one writes the m equations for position Un as. 



Un + bi = 0 , 

Un + = 0 ) 

: (1) 
Un “t“ bni — 0, 



where each bi is the sum of t different positions of u. Applying the same relations 
above to the keystream we can calculate the following sums, 

Zn + yi= Li 
Zn + V2 = L2 



Zn “t“ ym — Lm- 
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where i/i is the sum of the positions in the keystream corresponding to the 
positions in bi. Assume that h out of the m equations in hold, i.e., 

h = \{i : Li = 0,1 < i < m\\, 

when we apply the equations to the keystream. Then it is possible to calculate 
the probability p* = P{un = Zn\h equation holds) as 

, _ ps^{l - s)^-^ 

^ ps^{l — + (1 — p)(l — s'jhgm-h ’ 

where p = P(z„ = a„), and s = P{b^ = yt). 

Using the parity check equations found above, two different decoding methods 
were suggested in PHI The first algorithm, called Algorithm A, can shortly be 
described as follows: First find the equations to each position of the received bit 
and evaluate the equations. Then calculate the probabilities p* for each bit in 
the keystream, select the I positions with highest value of p*, and calculate a 
candidate initial state. Finally, find the correct value by checking the correlation 
between the sequence and the keystream for different small modifications of the 
candidate initial state. 

The second algorithm, called Algorithm B, used another approach. Instead 
of calculating the probabilities p* once and then make a hard decision, the prob- 
abilities are calculated iteratively. The algorithm uses two parameters pthr and 
Nthr- 

1. For all symbols in the keystream, calculate p* and determine the number of 

positions with p* < pthr- 

2. If Ntju < Nthr repeat step I with p replaced by p* . 

3. Complement the bits with p* < pthr and reset the probabilities to p. 

4. If not all equations are satisfied go to step 1. 

The performance of the algorithms described above is given in piiSj . The 
algorithms above work well when the LFSR contains few taps, but for LFSRs 
with many taps the algorithms fail. The reason for this failure is that for LFSRs 
with many taps each parity check equation gives a very small average correction 
and hence many equations are needed. An improvement was suggested in |ll)|. 
where a new method for finding parity check equations was suggested. Let Ug be 
the initial state of the LFSR. The state after t shifts can be written as Ut = A*Uq, 
where A is an / x Z matrix that depends of the feedback polynomial. Using powers 
of the matrix A a set of parity check equations can be found. 

Another method of finding parity check equations was suggested in Q. The 
idea of this algorithm is to use an algorithm for finding codewords of low weight 
in a general linear code. 

4 New Fast Correlation Attacks Based on Convolntional 
Codes 

The general idea behind the algorithm to be proposed can be described as follows. 
Looking at the parity check equations as described in (P) , they are designed for a 
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second pass that consists of a very simple memoryless decoding algorithm. For a 
general feedback polynomial, this puts very hard restrictions on the parity check 
equations that can be used in (weight < f + 1 for a very low t) . Our approach 
considers slightly more advanced decoding algorithms that include memory, but 
still have a low decoding complexity. This allows us to have looser restrictions on 
the parity check equations that can be used, leading to many more, and more, 
powerful equations. This work uses the Viterbi algorithm with memory 10 — 16 
as its decoding algorithm. The corresponding restrictions on the parity check 
equations will be apparent in the sequel. 

The proposed algorithm transforms a part of the code C stemming from the 
LFSR sequences into a convolutional code. The encoder of this convolutional 
code is created by finding suitable parity check equations from C. Some notation 
and basic concepts regarding convolutional codes that are frequently used can 
be found in Appendix A. 

The convolutional code will have rate R = l/(m + 1), where the constant 
(rn + 1) will be determined later. Furthermore, let S be a fixed memory size. In 
a convolutional encoder with memory B the vector v„ of codeword symbols at 
time n is of the form 



— '^tlGq ~\~ Un—lGl “t“ . . . Un— bG , 



( 2 ) 



where in the case R = l/(m+ 1) each Gi is a vector of length (m+ 1). The task 
in the first pass of the algorithm is to find suitable parity check equations that 
will determine the vectors Gi,0 < i < m, defining the convolutional code. 

Let us start with the linear code C stemming from the LFSR sequences. There 
is a corresponding I x N generator matrix Glfsr- Clearly, u = MqGlfsr, where 
Uq is the initial state of the LFSR. The generator matrix is furthermore written 
on systematic form, i.e., Glfsr = {^i Z), where Ii is the I x I identity matrix. 
Given a generator matrix on this form, the parity check matrix is written as 
Plfsr = In-i ) , where each row of P defines a parity check equation in 
C. 

We are now interested in finding parity check equations that involve a cur- 
rent symbol an arbitrary linear combination of the B previous symbols 
,Un-B, together with at most t other symbols. Clearly, t should be 
small and we mainly consider t = 2. 

To find these equations we start by considering the index position n = B + 1. 
Introduce the following notation for the generator matrix. 



Glfsr 



I Ib+1 Zb+1 
Zi-B-l 



( 3 ) 



Parity check equations for ub+i with weight t outside the first B + I positions 
can then be found by finding linear combinations of t columns of Zi-b-i that 
add to the all zero column vector. This corresponds to the problem of finding 
weight t codewords in the code dual to Zi-b-i- 

For the case t = 2 the parity check equations can be found in a very simple 
way as follows. A parity check equation with t = 2 is found if two columns from 
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Glfsr have the same value when restricted to the last I — B — 1 entries (the 
Zi-B-i part). Hence, we simply put each column of Zi-b-i into one of 
different “buckets” , sorted according to the value of the last l—B—1 entries. Each 
pair of columns in each bucket will provide us with one parity check equation, 
provided ub+i is included. 

Assume that the above procedure gives us a set of m parity check equations 
for ub+Ii written as 

RB+1 “h — i “t" 

RB+1 “h 1 ^i2RB+l—i “t" 

UB+1 + C-imUB+l-i + X/iTl ~ 

Now it follows directly from the cyclic structure of the LFSR sequences that 
exactly the same set of parity checks is valid for any index position n simply by 
shifting all the symbols in time, resulting in 

Rn 1 ^ilRn—i — 0, 

Rn 1 ^i2Rn—i “t" ^2 — 0, 

: 

where , 1 < fc < m is the sum of (at most) t positions in u. 

Using the equations above we next create an i? = l/{m + 1) bi-infinite 
systematic convolutional encoder. Recall that the generator matrix for such a 
code is of the form 



(■■■■ \ 

p _ Go Gi . . . Gb /rN 

Go Gi . . . Gb ’ ^ ^ 

V 

where the blank parts are regarded as zeros. Identifying the parity check equa- 
tions from m with the description form of the convolutional code as in gives 
us 



/Go\ 

Gi 




/111. 


■ 1 \ 




0 Cii Ci2 . 
0 C21 C22 . 


■ C2m 






\0 Cbi CB2 ■ 


■ C^Bm ) 



(■i) 

For each defined codeword symbol Vn in the convolutional code we have an 
estimate of that symbol from the transmitted sequence z. 
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Consider t = 2. If Vn'^ = Un (an information bit) then P{vn^ = z„) = 1 — p. 
Otherwise, if Vn'^ = +Uj^- from (0 then P{vn^ = Zj^. + Zj^.) = (1— 

Using these estimates we can construct a sequence 



r 



' ' ' n ' n 



(m)(0) ^( 1 ) 



n+1 ' n+1 ' ■ 



. r 



(m) 

n+1 • • • 5 



where and = Zj-^^ + Zj^^, 1 < i < m, that plays the role of a 

received sequence for the convolutional code. Then we have from the estimates 
that P{vn'^ = = 1—p and that = (1 —p)^ for 1 < i < to. 

Next, we enter the decoding phase. 

To recover the initial state of the LFSR it is enough to decode I consecutive 
information bits correctly. Optimal decoding (ML decoding) of convolutional 
codes uses the Viterbi algorithm to decode. 

The original Viterbi algorithm assumes that the convolutional encoder starts 
in state 0. However, in our application there is neither a starting state, nor 
an ending state. To deal with this we start by assigning the metrics logP(s = 
zi,Z2,... , zb ) to each state s in the trellis. We then proceed to decode from 
n = B as usual. Due to the difference regarding the endpoints, we run the 
Viterbi algorithm over a number of “dummy” information symbols, before we 
come to the I information symbols that we try to decode correctly. Similarly, af- 
ter these I information symbols we continue the Viterbi algorithm over another 
set of “dummy” information symbols before the algorithm outputs the result. 
These are well known techniques in Viterbi decoding, and typically one has to 
decode approximately 4 — 5 times B “dummy” information symbols, 0, before 
making the decoding decision. This means that decoding takes place over ap- 
proximately J = l + lOB information symbols, where the I symbols in the middle 
are regarded as the I bit sequence that we want to estimate. This estimate from 
the Viterbi algorithm is then used to provide the corresponding estimate of the 
initial state of the LFSR. This conclude the general description and we give a 
detailed summary of the algorithm for t = 2. 



The Proposed Algorithm {t = 2) 

Input: The systematic I x N generator matrix in the form 
GlFSR = ( Ib+1 gS-l-2 ■ ■ • gj gj-l-l ■ • ■ gAT ) ■ 

1. For J-l-l<J,j<iV find all pairs of columns gi, gj such that 

(gi + gi)^ = ( *, *, - ■ , * , i, p,o,.^. . , 0 ), 

B l-B-1 

where * means an arbitrary value. Then add 

(Rti—B j Rn—B — 1 T ■ ■ • : Rn ,0,0,... ,0) • (gi -f gj ) Un-\-i Un-\-j — 0 
to the set of parity check equations as in 10. 
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2. From this set, calculate Go, Gi, . . . , Gb as in ®- 

Create a received vector r from z by = z„ and = Zj-^^ + Zj^. for 
1 < z < m, where ju and j 2 i are the indices determined in 1. 

3. Let P(vn^ = r„^) = 1 — p and P{vn'’ = = (1 — for i? + 1 < 

n <l + lOB. 

Decoding part 

4. For each state s, let log(P(s = (zi, Z 2 • • • , zb)) be the initial metric for that 
state when we start the Viterbi algorithm at n = B. 

5. Decode the received sequence r using the Viterbi algorithm from n = B until 
n = J. Output the estimated information sequence (msb+i, U 5 B+ 2 , ■ ■ • , u^b+i)- 
Finally, calculate the corresponding initial state of the LFSR. 



An Illustrating Example 

Consider a length 40 LFSR, with feedback polynomial 

g{x) = 1 + a; + + a;® + X® + + x^’' + x^® + 



V.21 



v,25 



v,27 



x^® + x^^ + x^^ + x^® + 



An observed key sequence z of length N = 40000 is found to be correlated to 
the LFSR sequence with probability 1— p = 1 — 0.1. We want to decode the 
received sequence z transmitted over BSC(O.l) using the proposed method with 
memory R = 10. 

We start by writing down the generator matrix Glfsr- Then we search for 
suitable parity check equations by finding all pairs of columns in Glfsr for 
which the last 29 index positions are all zero. Each such pair gives rise to one 
parity check equation with t = 2. In this case, the following three parity check 
equations were found 



Un + Un-1 + Un-8 + Un-10 + Un+4690 + U„+23655 — Oj 

Un + Un-2 + Un-3 + Un-4 + Un-7 + Un-8 + Un +4817 + Un+31970 = 0) 

Un ~t~ Uji—2 Un—3 Un—A 4“ 5 4“ Un—9 4“ Ut^-I-ISOSO 4“ UnA-A626 — dj 



which are all valid for 1 < n < 8030. We get a fourth codeword symbol by the 
information symbol itself. Then we can identify 



/Go\ 

Gi 



/1111\ 

0100 

0011 



\GbJ 



\0100 



Thus, we have created a rate i? = 1/4 convolutional code having generator 
matrix 

(■■. \ 

nil 0100 0011 0011 0011 OOOl OOOO OOIO OllO OOOl OlOO 

1111 0100 0011 0011 0011 0001 0000 0010 0110 0001 0100 
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Each r„ in the received sequence r = rgri . . . for the convolutional code is 
created as 

( 0 ) 

rn = Zn, 

( 1 ) 

rn — Zn+4690 + ^n+23655) 

(2) I 

rn — Z„+4817 + 7:n+3l970, 

(3) I 

rn — Zn+4626 + ^n+lSOSO, 

and P(vn^ = = 0.9 and P{vn^ = = 0.82,1 < i < 3. Finally we 

run the Viterbi algorithm, starting in n = 10 with all different states 
(mi,M 2 ,... ,uio)- Each state have the initial metric log(P(ui = zi)P{u 2 = 
Z 2 ) ■ ■ ■ P{ub = Zb))- After reaching n = 140, we output (usi, U 52 , ■ . ■ , ugo). 



5 Simulation Results 



In this section we present some simulation results for our algorithm. The obtained 
results are compared with the received results in mm- We choose to use 
exactly the same case as tabulated in uni. Thus all the simulations are based on 
a LFSR with length I = 40, and a weight 17 feedback polynomial which is 



g{x) = I + X + + x^^ + x^^ + 



„21 



■ ^23 + 



x^^ + + x^^ + x^^ + x^^. 





PP 


m 


Our Algorithm 


N/l 


Alg. B 


Alg. 


CO 

t-H 

II 

cq 


rH 

II 

cq 


B = 15 


“OF 


0.092 


0.096 


0.19 


0.22 


0.26 


W 


0.104 


0.122 


0.37 


0.39 


0.40 



Table 1. Maximum p for different algorithms. 



In Table Q the maximum crossover probability p is shown for algorithm B 
in m, the improvement in mil, and the proposed algorithm. Our results are 
generated for different sizes of the memory B. As a, particular example, we can see 
that when we have 4 • 10® received symbols the proposed algorithm is successful 
up to more than p = 0.4 for memory B = 15, whereas the algorithm in PE! 
and the improvement in m are successful only up to a crossover probability of 
0.104 and 0.122, respectively. In this case, B = 15, the proposed algorithm finds 
roughly 2300 parity checks and hence the embedded convolutional code is of rate 
roughly R = 1/2300. Also, the decoding takes place over J = 200 information 
symbols. The computational complexity is proportional to J ■ m ■ 2^ , and in the 
case B = 15, M = 2300, J = 200 the whole attack takes less than one hour on a 
PC. 



358 



Thomas Johansson and Fredrik Jonsson 



Another interesting property to look at is the success rate, i.e., the probability 
for successful decoding given a channel with crossover probability p. In Figure 0 
we plot the success rate as a function of p, when B = 14, for 40000 and 400000 
received symbols, respectively. 




Fig. 5. Success rate for B = 14 with N = 40000 and N = 400000. 



Finally, we make a comment regarding the theoretical performance of the 
proposed algorithm for t = 2. For fixed parameters I, B and N , we can determine 
the expected number of suitable parity checks, i.e., the parameter m. Then one 
can show that the success rate will be very close to 1 if the rate R — l/(m + 1) 
is below the cutoff rate Rq 0 for the BSC(2p(l —p)). However, we observe that 
the simulated results are very close to the capacity C of the BSC(2p(l — p)), 
which is C = 1 — h(2p(l — p))- 

6 Conclusions 

New methods for fast correlation attacks have been proposed, based on iden- 
tifying an embedded convolutional code in the code C generated by the LFSR 
sequences of a fixed length N . The results show a significant improvement com- 
pared with previous work regarding general feedback polynomials. We have de- 
scribed the methods using an ordinary convolutional code together with standard 
Viterbi decoding. There are many different ways to extend these methods that 
can be considered in future work. 

Firstly, we note that by permuting the columns of C before searching for 
parity checks, we receive a time-varying convolutional code. Secondly, the com- 
putational complexity of the Viterbi algorithm is growing exponentially with 
B, which means that in practice B is bounded to be at most 20 — 30. But 
there are several other decoding algorithms, which are not ML, that have a 
much lower computational complexity. Examples of such algorithms are the M- 
algorithm (list decoding) and different sequential decoding algorithms 0. They 
are promising candidates for improving the performance. 
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Finally, we also mention the possibility of using iterative decoding. This can 
roughly be described as follows. Identify several convolutional codes in C that 
have certain codeword symbols in common. Then decode them using APP (a 
posteriori probability) decoding algorithms 0 and pass the symbol probabilities 
to the other decoders. This procedure is iterated until the symbol probabilities 
have converged to 0 or 1. We believe that this is a very promising approach, 
and that we might see a further improvement in performance compared to the 
results in this paper. 
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A Convolutional Codes 



This section reviews some basic concepts regarding convolutional codes. For a 
more thorough treatment we refer to Pj. A convolutional code is a linear code 
where the information symbols and the codeword symbols are treated as infinite 
sequences. In a general rate R = b/c, b < c binary convolutional encoder (time- 
invariant and without feedback) the causal information sequence 



(0) (1) (b) (0) (1) (b) 

U = UqUi . . . = Mg 'Uq a . . Mg m) 'm) a . . m) a 



is encoded as the causal code sequence 



(0) (1) (c) (0) (1) (c) 

V = VqVi . . . = Mg Mg . . . Mg M{ m) . . . m) 



where 



Vt = /(ut,Ut_l,... ,Ut-B). 

The function / must be a linear function. Furthermore, the parameter B is called 
the encoder memory. 

In our particular application we only consider convolutional codes for which 
the rate is of the form R = Ijc, i.e., 6=1, and thus we now adopt the notation 



U = MoMi . . . , 

where Mi G F 2 . Since / is a linear function, it is convenient to write 
Vt = utGo J- ut-iGi J- • • • J- ut-nGB, 



where Gi, 0<i<Bisa,lxc matrix, i.e., a length c vector. Now we can rewrite 
the expression for the code sequence as 



where 



VqVi . . . = (moMi . . . )G, 



G = 



/Go Gi...Gb 

Go Gi ...Gb 



( 7 ) 



and the blank parts of G is assumed to be filled with zeros. We call G the 
generator matrix. The encoder can be illustrated as in Figure 6. 
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Ut 




Fig. 6. A general convolutional encoder (without feedback). 

The state of a system is a description that together with a specification of 
the present and future inputs, can determine the present and future outputs. 
From Figure 6 it is easy to see that we can choose the contents of the memory 
cells at time t as the encoder state at at time t, 

at = Ut-lUt-2 ■ ■ ■ Ut-B- 

Thus the encoder has at most 2® different states at each time instant. We can 
now consider all possible states at as vertices in a graph and put an edge between 
two adjacent states at and at+i if and only if there is an information symbol 
Ut such that takes the state from at at time t to at+i at time t + 1. This graph 
gives rise to a so called trellis. The convolutional code (or linear trellis code) 
is the set of all possible codeword sequences (possibly with a predetermined 
starting and ending state). If we label the edge in the trellis going from at to 
at+i with Vt = UtGo + Ut-iGi + • • • + Ut-nGB the set of codeword sequences 
will correspond to the set of possible paths in the trellis. 

Example: Consider the rate i? = 1/2 convolutional encoder with generator 
matrix 



G = 



/II 10 11 
11 10 11 

V 



The encoder can be implemented as in Figure 7, and the corresponding trellis is 
depicted in Figure 8. 

Suppose now that our trellis code is transmitted over the BSC with error 
probability p. We are interested in determining the most probable codeword 
from a received sequence r, 



r = rori . . . = r. 



( 0 )^( 1 ) 
0 'o 



JGJo) (1) 
'o '1 '1 






This corresponds to a maximum likelihood decoding problem, ML decoding. 
The solution to the ML decoding problem for convolutional codes is the famous 
Viterhi algorithm. 
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Fig. 7. A rate R=l/2 convolutional encoder. 




Fig. 8. A binary rate i? = 1/2 trellis code. 



The ML decoder chooses as its estimate v a sequence v that maximizes 
P(r|v). Assuming that the starting and ending state is predetermined to be the 
zero-state, the ML decoder works as follows. Introduce the Viterbi branch met- 
ric, ^(rn,v„) = ^-logP(ri*^|ui*^) (One usually introduce a translation and a 
scaling in order to approximate the metric values with suitable integers ^). 



The Viterbi Algorithm 

1. Assign the Viterbi metric to be zero at the initial node, and set n = 0. 

2. For each node at depth n+l: Find for each of its predecessors at depth 
n the sum of the metric of the predecessor and the branch metric of 
the connecting branch. Find the maximum sum and assign this metric 
value to the node. Also, label the node with the shortest path to it. 

3. If we have reached the end of the trellis, stop and choose as the esti- 
mate V a path to the ending node with largest Viterbi metric; otherwise 
increment n and go to 2. 
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Abstract. This paper describes an attack on an identification scheme 
based on the permuted perceptron problem (PPP) as suggested by Point- 
cheval. The attack finds the secret key, a vector of n binary elements, in 
time much faster than estimated by its designer. The basic idea in the 
attack is to use several applications of a simulated annealing algorithm 
and combine the outcomes into an improved search. It is left as an open 
problem to what extent the methods developed in this paper are useful 
also in other combinatorial problems. 

Keywords: Cryptanalysis. Identification Scheme. Perceptron Problem. 
Simulated Annealing. 



1 Introduction 

Since the advent of zero-knowledge proofs in 1985 |5j, several interactive iden- 
tification schemes have been proposed. The first protocols, like the Fiat-Shamir 
scheme |2|, were based on number theoretic problems and used arithmetic op- 
erations with large numbers. In 1989, Shamir proposed a protocol of a different 
nature, based on the hardness of an NP-complete problem, the Permuted Ker- 
nel Problem, |H|. The distinctive features of this scheme are its use of small 
integers and its low requirement in memory and processing power. This makes 
the protocol more suitable for implementations on small processors like smart 
cards. In the sequel, two new problems (Syndrome Decoding and Constrained 
Linear Equations) were proposed by Stern, |0|, [ 1 1 )j . More recently, Pointcheval 
presented identification schemes based on the so called Permuted Perceptron 
Problem (PPP), p]. PPP is derived from the apparently simpler but still NP- 
complete Perceptron Problem (PP), which in turn is motivated by the well known 
Perceptron in Neural Computing. The identification schemes based on (PPP) are 
attractive as the operations needed are only additions and subtractions of in- 
tegers of less than a byte. Thus the schemes are particularly well suited for 
implementation on 8-bit processors. In view of implementations with restricted 
memory and/or processing power, a precise determination of the security of the 
identification schemes is required. 

The security of Shamir’s and Stern’s combinatorial schemes have repeatedly 
been the subject of publications (see e.g. 0 the references quoted there). 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. .lfi.l- IT7^ 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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The aim of this paper is to investigate the security of Pointcheval’s schemes 
for the parameter values suggested in pj . The main conclusion is that the small- 
est parameter values mentioned in 0, (m=101, n=117), are not secure enough 
for cryptographic applications. For some technical reasons, all parameters pro- 
posed in 13 are odd numbers. 

In [3, several attacks against PPP have been tried. The most successful 
method was a probabilistic search, known as simulated annealing. As any so- 
lution for PPP is a solution for PP, simulated annealing is applied for solving 
PP sufficiently often, until a solution that also satisfies PPP may be found. It is 
reported in |Sj, that using this method, no solution for PPP for parameter sizes 
greater than 71 could be found, even if the search continued for long time. As 
a consequence of the investigations in |3, the parameters m=101, n=117 were 
suggested as a secure size for problem PPP. 

In this paper, improved search algorithms to solve PP and PPP are devel- 
oped. In both problems, a solution consists of a vector of size n with values 
-|-1 and -1 as entries. Our main aim is to adapt simulated annealing in several 
ways to directly solve PPP. Along this way, experiments revealed some intrin- 
sic structure in the problem which enables to turn simulated annealing into an 
iterated search procedure until a solution may be found. Our algorithms turn 
out to be successful for instances of PPP for parameter sizes as large as 101 
or larger. In particular, our methods are able to solve instances of the target 
case m = 101, n = 117. Even if we find a solution only in a fraction of cases for 
these parameters, our algorithm always identifies a subset of entries of a solution 
vector which are correct with high probability. Besides test results for solving 
example instances, our algorithms apply to give bounds for solving average in- 
stances: We can generally solve PP and thus also PPP up to 280 times faster 
than was estimated in (3. 

In view of these results it is advisable for secure applications to choose the 
higher parameter values proposed in |3. But then the efficiency of the schemes 
based on PPP compares less favourably to that of the other combinatorial 
schemes. 

It is conceivable that the iterated search method as developed in this paper 
is also useful in certain other combinatorial and optimization problems. 



2 The Permuted Perceptron Problem 

We follow the notation in [3 where possible. A vector whose entries have value 
either -|-1 or -1 is called e-vector, and similarly for matrices. 

If A is a vector of size m, let Xi denote the ith entry in X. 

Definition 1. The Perceptron Problem PP 

Input : An m x n e-matrix, A. 

Problem : Find e-vector V of size n, such that 
{AV)i > 0, for all i = 1 , ..., m. 
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In 13 reference is made to |3, showing that PP is an NP-complete problem. 
It is possible to design a zero-knowledge identification protocol with every NP- 
complete problem provided one-way hash functions exist. However such a proto- 
col will be efficient only if the underlying problem is hard already for moderately 
sized input parameters. Therefore in [3 the following variant of PP is proposed: 

Definition 2. The Permuted Perceptron Problem PPP 

Input : An m x n e-matrix, A, 

a multiset S of nonnegative numbers of size m 
Problem : Find e-vector V of size n, such that 
{{{AV)^\^ = {1,... ,m}}} = S. 

Obviously, a solution for PPP is a solution for PP. In |S| this lead to the 
conclusion that the Permuted Perceptron Problem is more difficult to solve than 
the original Perceptron Problem. However, knowledge of the prescribed multiset 
S may give some hint to a solution of PPP. As will be shown in this paper, this 
is partially the case. 

For cryptographic applications, one needs instances for which a solution is 
known. To get such instances, a (pseudo-) random e-vector V of size n is chosen 
which will be a solution of the future instance. Hereafter a random e-matrix A 
of size TO X n is generated and modified in the following way: 

For z = 1, ..., TO 

- If (AV)i < 0, the row of A is multiplied by —1. 

- If {AV)i > 0, the row of A remains unchanged. 



Finally the multiset S = {{{AV)i\{i = 1,...,to}}} is computed. Consequently, 
(A, S) is an instance of the Permuted Perceptron Problem, with P as a solution. 

In an identification protocol, each prover uses a public instance (A, S'), and 
a secret key V. To convince a verifier of his identity, a prover gives him evidence 
of a solution V to the instance (A, S) by using a zero-knowledge protocol. The 
description of several such protocols based on PPP is the main subject of |S| and 
is not detailed here. 

2.1 Simulated Annealing for PP and PPP 

In jSj several attacks against the two problems PP and PPP have been tried in 
order to evaluate the security of identification protocols based on PPP. Thereby 
no structure was found which would enable to solve this problem with obvi- 
ous methods like Gaussian elimination. The attacks made in |S| are outlined 
subsequently as far as they are relevant to our investigations: 

Let A = (oij) be an TO X n e-matrix and let sj = ^i,j j = ■ ■ ■ ,n. 

In a first attempt to attack PPP, the majority vector M is considered, where 
Mj = sign Sj, j = 1, ..., rz. As in applications to and n are odd, Mj is well defined. 
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Suppose {A, S) is an instance for PPP with solution V as considered in the 
previous section, where A is an. mxn- matrix with n> m. Then in (0, Theorem 
4) it is stated that the vectors M and V are correlated: 

=P„j = l,...,n}«0.8n (1) 

This leads to a reduced search for a solution V of complexity of order (o 2 ji)- 
However this number exceeds the common security margin 2^^ for n > 95. 

Due to the inefficiency of the previous attack, in the method of simu- 
lated annealing (SA) is proposed. This optimization method simulates a physical 
cooling process and has been applied for various combinatorial and engineering 
problems (see e.g., Q, 0). The idea is to minimize in a probabilistic way an 
appropriate energy or cost function on a finite space of input variables which 
has to be provided with a distance measure. SA can only be expected to be 
efficient if the energy function is roughly continuous, i.e., if the energy difference 
for neighbouring inputs is bounded by a small number. In jS| the energy function 
for solving PP is chosen to be 

I m 

E{y) = -Y^{\{AV).\-{AV)i) ( 2 ) 

^ 1=1 

Figure [D shows an example of a simulated annealing algorithm for PP and PPP. 



Let a > 1 and Q < f5 < 1. Let rnd{0, 1) be a function which returns a random number 
between 0 and 1. Choose a candidate vector V' at random. 

1. Calculate E{V) 

2. If E{V') = 0 stop 

3. T = a 

4. while T > 1 do 

(a) repeat n times 

1. Set V" = V' and change the sign of one randomly chosen entry of V" 

ii. if E{V") < E[y") then V' = V" 

else if exp((A(P') - E{V"))/T) > rnd{0, 1) then V' = V" 

iii. if E{V') = 0 stop 

(b) t = p*t 



Fig. 1. Algorithm for simulated annealing for PP and PPP. 



Clearly, E{V) is minimum (i.e. E{V) = 0), if and only if the candidate vector 
P is a solution for PP. For this energy function, SA is successful for instances of 
size up to 200. On the other hand it is reported in jS| that this way no solution 
for PPP could be found for instances of size larger than 71, even if the algorithm 
has been tried for a few months. Hereby, PPP is attacked via solving PP, in 
the hope of finding a solution for PPP by performing the above SA algorithm 
sufficiently often. In order to estimate the complexity of such a procedure, the 
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approximate number of solutions for PP and for PPP for average instances has 
been determined. This suggested that the complexity for solving PPP via PP 
is maximal if n « to + 16, in a practically relevant range 100 < to < 200. 
As a result, three candidate sizes for instances of PPP are proposed in 0. The 
smallest size recommended for the matrix AisTO = 101, n = 117. It is concluded 
that solving instances of this size would need 12650 years, corresponding to a 
complexity of about 2®^ elementary operations, hence a work load sufficient to 
guarantee the security of the underlying protocol. 



3 Algorithms for Solving PPP 



In this section it is shown how to improve the simulated annealing search for a 
solution of PPP. In general, the success of this search method essentially depends 
on the choice of a suitable energy function which is deeply connected to the 
underlying problem. In order to find such an energy function for PPP, let an 
TO X n e-matrix A and V = AV be given as before. Determine a histogram 
vector H over the integers such that Hi = if{Yj = i\j = 1, . . . ,to}. With m,n 
odd. Hi is set only for odd values of f, 1 < i < n. In a simulated annealing 
search let V' denote the candidate for the secret key V, let V' = AV' and let 
H' denote the histogram vector of V'. Then an obvious proposal for an energy 
function would be the distance (in a suitable sense) between the correct and the 
candidate histogram vector: E(V) — ~ ^i\) (where the summation 

index i is only taken over odd values). For this definition of energy, certainly 
E{V) = 0 if and only if P is a solution for PPP. Experiments have shown 
however, that this function E is of no use for a search. The reason is that E{V) 
may change too much even if only a single sign in V is changed. Hence this choice 
oi E{y) is not continuous as is necessary for simulated annealing to work. As a 
consequence, one may try to combine this function with the function which has 
already shown to be successful for PP. This motivates an energy function of the 
form 



m n 

E{V) = 91 + 92 (3) 

i=l i=l 

The first part of this function is a multiple of the sum of all negative entries P/, 
the second part is a multiple of the distance between the correct and candidate 
histogram vector. It is clear that a solution for PPP (and PP) has been found 
when E(V) = 0. The values of gi and g 2 provide a weighting of the two sums. 
It has proved useful to choose gi > 30 and 52 = 1- This introduces additional 
energy (or penalty) for candidate vectors resulting in negative entries in Y' and 
such candidate vectors never result in a solution for PPP. 

Also, the following equation can be used to increase the probability of success 
of the PPP-search algorithm. 
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Corollary 3. Let A = (atj) he an m x n e-matrix. Let Sj = 
j = 1, .. . , n. Lf AV = Y then 



(4) 

i=l i=l 

Note that the righthand side of Eq. E| is equal to the sum of the elements in the 
multiset S. 

As mentioned in the previous section, the majority vector is in accordance 
with V, the secret key, for about 80% of the entries. As before, let Sj be the 
vector computed as the sum of every column of A. By inspection of the majority 
vector and the solution vector it follows that this fraction increases for larger 
values of abs(sj). As an example, for instances of PPP where m = n = 73, 
experiments show that 

Prob(Mj- = Pj|abs(sj) > 11) «:! 0.94, (5) 

whereas for m = n = 101 this probability is still 0.92. Moreover for m = n = 73 
and m = n = 101 tests show that on the average abs(sj) > 11 for 28 respectively 
46 entries, or 38% respectively 46% of the entries. Similarly for m = 101, n = 117 
experiments show that 

Prob(Mj- = P^labs(sj) > 11) « 0.91 (6) 

and that on the average abs(sj) > 11 for about 44% of the entries. Note that an 
attacker knows the vector s, which he can compute from the matrix A. Thus, 
an attacker can exploit that for large entries of s the corresponding entry in the 
secret key V is known with a high probability. 

3.1 The Search Algorithm 

A first attempt for an algorithm is the following. Run the simulated annealing 
algorithm. Figure^ t times with the energy function Q. In each run, record the 
candidate vector V' which gave rise to the lowest value of the energy function. 
Find the entries, say the set I, which have the same sign in all these t vectors. 
Run the simulated annealing algorithm again t times, but instead of choosing a 
random starting vector, let the entries in / have the values of the first t tests; 
the remaining entries are chosen at random. Record another t vectors and find 
another set / and repeat the procedure until a solution is found. This algorithm, 
hereafter called the PPP-search algorithm, has proved very successful for PPP 
with larger values of m and n. The values of a and P play a crucial role for 
the success of the simulated annealing algorithm. Also, the initial values, that 
is the values of first t randomly chosen starting vectors, are very important for 
the further progress of the PPP search algorithm. In the tests reported later in 
the paper, a = n was chosen. 

There are several possible variants of the PPP-search algorithm. The follow- 
ing modifications have been tried with varying success. 
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1. When in t runs of SA an entry ends up with the same sign t times, this entry 
is fixed to this value throughout the entire search. 

2. Exploit and incorporate Equation 0 and the facts ® or 

3. Repeat the PPP-search algorithm until a sufficiently high number of entries, 
say u, have the same (correct) sign in t runs of the simulated annealing 
algorithm. If u is big enough, an exhaustive search for the remaining n — u 
entries might be possible. Alternatively, one can exhaustively fix a subset of 
the remaining n — u entries and continue the PPP-search algorithm until a 
solution is found. 

The first variant is faster than the original. Once an entry has the same 
sign in t consecutive runs of SA, the entry is fixed throughout the remaining 
search. Clearly, if this entry is correct, this variant will improve the search, but 
conversely if this entry is incorrect and stays fixed, the search will never find the 
secret key vector V. It is still possible, though, that the search will find a vector 
V ^ V, such that AV' = Y. 

A second variant of the PPP-search algorithm is to choose the entries of the 
majority vector instead of random values in the starting vector of the first t runs 
of the simulated annealing algorithm. This has the effect that the set / is larger, 
however the number of incorrectly assigned entries increases. An alternative is 
to use the majority vector only for entries where abs(sj) has a predetermined 
high value. 

In the following we show how an exhaustive search for a remaining set of 
entries can be done. First, in the PPP-search algorithm record the frequency of 
the entries in the candidate vectors V from SA which gave rise to the lowest 
value of the energy function. Let VP be a vector with n integer entries. After each 
run of SA set W = W +V . After sufficiently many runs of the above algorithm, 
tests show that W holds the correct sign for a substantial part of the entries of 
the correct secret key V. Assume the search has found about 0 < u < n correct 
entries in the candidate solution vector. It turns out that when u is not too 
small, e.g., if rt > n/4, the vector W has the correct sign in 85-90% of all entries. 
That is, let V be the chosen solution vector; if VPi < 0 {Wi > 0) then with 
probability 0.85 . . . 0.90, V) = — 1 (V) = 1). In other words, only 10-15% of the 
remaining n — u entries are wrong. Thus if n — u is not too big, it is possible to 
exhaustively try to determine which of these entries are not in accordance with 
the sign of W . Assume that u entries have been found, and that for entries 
in W it holds that Wi ■ Vi < 0, whereas Wi • > 0 for the remaining entries. 

Then, if riw is known, an exhaustive search at this point takes no longer than 



steps. An attacker cannot know the exact value of riw, so the exhaustive search 
must be repeated for a few values of in the neighbourhood of 0.85 x n. 
Alternatively, one can do an exhaustive search of a subset of the remaining n — u 
entries. The idea is to fix a subset of entries and continue the PPP-search for a 
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m n 


Running time 


Pointcheval’s estimate 


101 117 


0.3 


85 


121 137 


0.5 


130 


151 167 


1.5 


O 

00 



Table 1. Running time in seconds for the PP search algorithm (averaged over 
50 tests). 



number of steps. When the entries in the subset are assigned correct values, the 
PPP-search will find a solution. 

The search can be further improved by incorporating the Equation When 
doing the exhaustive search for a few entries, one starts by assigning values to 
the entries, j, for which abs(sj) are small. After the assignment of a few entries 
the remaining entries are either forced by Eq. 0 or lead to contradiction. It is 
assumed that with this improvement the exhaustive search part takes less than 

^ operations. 

\ J 

As shown in the next section the PPP-search algorithm with u = n works well 
on instances of PPP where to > n. In the case where to < n, as recommended 
by Pointcheval, the algorithm is less successful. This may be due to the fact that 
for a given matrix A and a multiset S there are several solutions to the problem 
and the search algorithm is not able to converge to one single solution. This is 
supported by fact that in the cases where m > n the probability is high that 
there is only a single solution and the algorithms terminate fast and with a high 
probability of success. 

In the cases where m < n the probability of success can be increased by 
choosing u < n and performing also the exhaustive search part of the algorithm. 

4 Test Results 

The computer used for the tests in this section is a Sun Sparc Ultra- 1. When 
running times are given in seconds or minutes, this is the real time it took the 
tests to succeed when running on a UNIX system with shared resources. Thus, 
when implementing on a single dedicated machine, the expected time of the 
algorithms will be lower. 



4.1 Results for PP 

The PPP-search algorithm can also be used to find solutions for PP by using 
the energy function Q. For this, PPP-search variant no. 1 choosing gi = 30 and 
(72 = 0 in the energy function has proved very successful. Table [Dhsts the results 
of 50 tests on PP with the recommended values of to and n. The running time 
is taken as the total real time divided by 50. All tests succeeded and found a 
solution. 
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m 


n 


Tests 


Solutions 


Running time 


73 


73 


50 


19 


12 min. 


81 


81 


50 


11 


22 min. 


101 101 


50 


5 


84 min. 


101 


81 


50 


32 


2 min. 


121 


81 


50 


43 


1 min. 



Table 2. Results of the fast search algorithm for PPP. Running time is the 
average time of all successful tests. 



Note that our results listed in Table Efor PP also improve the bounds deter- 
mined in [S| for the complexity of average instances of PPP by the same factors. 
E.g., for m = 101, n = 117, our experiments together with the estimates in ^ 
give a complexity of 2®® elementary operations. However, depending on the in- 
stance, our experiments with Fast Search as described in the next section show 
that this complexity may be much lower. 



4.2 PPP - Fast Search 

When implementing attacks on instances on PPP we found that some solutions 
were found much faster than others. In this section the results of a series of “fast 
tests” are given. The attacks do not find the solution of all instances of PPP, 
but when they find a solution, it is found fast. As mentioned earlier, PPP-search 
variant no. 1 is faster than the original one. When in t runs of the simulated 
annealing algorithm an entry holds the same sign in the t output vectors, such 
an entry is fixed is future tests. In these tests, whenever the search algorithm 
fixed an entry in the candidate solution vector different from the chosen one, the 
algorithm aborted. These test results are therefore very pessimistic. It might very 
well be that when the search algorithm was aborted it was converging towards a 
solution different from the chosen one. Table El lists the results of tests on several 
instantiations of PPP. The running times are pessimistic, taken as the total real 
time of all 50 tests divided by the number of correct solutions found. In jS| it 
was reported that no solutions were found for tests on instances of PPP with 
m,n > 71, even after running several months. Our results show that in about 
40% of the cases a solution can be found for m = n = 73 in just 12 minutes 
running time. The cases m = 101, n = 81 and m = 121, n = 81 are included to 
illustrate how well the PPP-search algorithm works when m > n. 

For the target version m = 101, n = 117 the PPP-search algorithm variant 
no. 1 was implemented with t = 30, a = 117 and (3 = 0.97 in the simulated 
annealing part. In 100 tests the algorithm found a solution in one of the cases. 
Using the exhaustive search extension, the solution can be found much faster 
than estimated in |n| in 9 of the tests. Table El lists the results of 100 tests. In 
one test the solution was found using about 2^^ simple operations. In one other 
test 72 entries were found when the search stopped. At this point the vector W 
held the correct sign in 102 of the 117 entries. Thus, an exhaustive search for the 
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m n Tests 


Solutions 


Complexities (estimates) 


101 117 100 


9 


^31 2^^ 2^^ ‘ 2 '^^ 2^^ 



Table 3. The results of a fast PPP-search for m = 101, n = 117. 



m n Tests Solutions Complexity (estimated) 

73 73 20 19 2^®, . . . , 2®® 

101 101 20 14 2®°,2®®,2"^®,... ,2*^® 

Table 4. The results of advanced search algorithms for PPP. Complexities are 
the total number of simple operations. 



remaining 47 entries can be done in time about 




2^® simple operations. 



The complexities of other cases are done similarly. The stated complexities are 
of the exhaustive search for the remaining n — u entries which is greater than 
the first part using simulated annealing. Therefore in a real-life situation, when 
attacking single instances, it may be very advantageous to run a more complex 
simulated annealing part. 



4.3 PPP - Advanced Search 

In the previous section a solution was found only for a fraction of all instances. 
Not surprisingly, increasing the complexity of the tests also increases the prob- 
ability of success. Table 01 lists the results of a series of tests. For the case 
TO = n = 73 the PPP-search algorithm was used with t = 40 using variant 
no. 121 In the simulated annealing algorithm a = 73 and j3 = 0.85 was used. First 
all entries in the candidate vector for which abs(sj) >11 were fixed = Mj. 
As mentioned earlier, for these entries these assignments introduce only a few 
errors. Subsequently, the PPP-search algorithm was run for a certain number 
of steps. If no solution was found, one of the entries fixed in the beginning was 
given the opposite sign and the PPP-search algorithm was restarted. After only 
a small number of restarts a solution was found in 19 of 20 cases. The tests show 
that a solution for to = n = 73 can be found in a few hours with a high prob- 
ability of success. The total number of simple operations of the attacks varied 
from 2^® to 2®®. This attack variant might very well be adapted to the cases 
m = n = 101 and to = 101, n = 117. 

Variant no. 01 for PPP with m = n = 101 and where t = 40 was implemented. 
First the PPP-search algorithm was run with a complexity of maximum 2®"^ 
simple operations. In 2 of 20 tests a solution was found. For the remaining tests 
a set of 20 entries which were not found by the search were fixed to the correct 
value of V and the PPP-search was continued. In 12 of the 18 tests a solution 
was found in at most 200 runs of the SA algorithm after the assignment of the 
20 entries. 200 runs of the SA algorithms in these tests equal about 2^® steps. 
In a real-life situation one should repeat the procedure for all possible values 
of the 20 entries, making the total complexity 2®^ -|- s * 2^® steps for s < 2^®. 
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However, the guessing of 20 binary values will succeed after about 2^® attempts 
and furthermore, the 20 entries are correlated to the majority vector, a fact we 
did not incorporate in these tests. 

To measure the success of our algorithms an SA step of relatively low com- 
plexity was chosen, such that the first part of the test could be implemented 
in reasonable time. In a real-life setting when attacking a single instance of the 
PPP one would choose the parameters such that the complexity of both parts 
of the algorithm would be roughly equal. With a more complex SA step (higher 
values of a and (3) one can expect more correct entries to be identified by the 
time of the brute-force assignments of additional entries. For instances of PPP 
with m = n = 101 run the first part of the above attack with a complexity of, 
say, 2"^°, whereafter most tests would find a solution shortly after an assignment 
of 20 correct entries, such that the total complexity would remain around 2"^° 
steps. It is conjectured that a solution can be found for a large part of all PPP 
instances where m = n = 101 in time at most 2“^^. 

It is further conjectured that the same variant of the attack is applicable to 
instances of PPP with m = 101, n = 117 where the first part of the above attack 
has complexities of about 2^®, . . . , 2®°, which also would be the total complexity 
of the attack. 

5 Suggestions for Future Work 

As can be seen from the previous sections there are many possible variants of the 
PPP-search algorithms. The simulated annealing algorithm is very sensitive to 
the values of the parameters, and a small change in f3 sometimes produces very 
different results. As an effect also the behaviour of the PPP-search algorithm 
changes. In tests on PPP with m = 31,n = 47, different sets of solutions were 
found with different values of the parameters. In the PPP-search algorithm the 
value of the parameter t is important. For some instances of PPP, solutions are 
found fast with a low value of t, whereas in other instances a higher value of t 
seems better. It might be possible also to improve the PPP-search algorithm by 
using more than one energy function. Either alternate between energy functions 
from one run of the simulated annealing algorithm to another, or use one energy 
function in t consecutive runs and another energy function in the next t runs. 

It is likely that the limits of our methods as determined in this paper are not 
optimum and that other variants and/or combinations of the parameters will 
improve the results. 



6 Conclusion 

In this paper it was demonstrated that the identification schemes based on the 
permuted perceptron problem are several orders of magnitudes less secure than 
previously believed. Therefore it is recommended not to use these schemes with 
the suggested smallest parameters. As a consequence these identification schemes 
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compare less favorably to other combinatorial schemes. The iterated search meth- 
ods developed in this paper can be formulated in general terms and thus might 
be useful also in other combinatorial problems. 
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Abstract. A recoding rule for exponentiation is a method for reducing 
the cost of the exponentiation a'’ by reducing the number of required 
multiplications. If w{e) is the (hamming) weight of e, and e the result of 
applying the recoding rule A to e, then the purpose is to reduce WA{e) as 
compared to w{e). A well-known example of a recoding rule is to convert 
a binary exponent into a signed-digit representation in terms of the digits 
{1,1,0} where 1 = —1, by recoding runs of I’s. In this paper we show 
how three recoding rules can be modelled via regular languages to obtain 
precise information about the resulting weight distributions. In particular 
we analyse the recoding rules employed by the 2*’-ary, sliding window 
and optimal signed-digit exponentiation algorithms. We prove that the 
sliding window method has an expected recoded weight of approximately 
n/[k -I- 1) for relevant fc-bit windows and n-bit exponents, and also that 
the variance is small. We also prove for the optimal signed digit method 
that the expected weight is approximately n/3 with a variance of 2n/27. 
In general the sliding window method provides the best performance, 
and performs less than 85% of the multiplications required for the other 
methods for a majority of exponents. 



1 Introduction 



One of the fundamental operations in cryptography is exponentiation a® over 
groups such as Z*, general finite fields, and the group of points on an ellip- 
tic curve ^UE|Z|. The classical approach to performing this task is the binary 
method, and the complexity of the exponentiation is usually measured in terms 
of the number of squarings and multiplications required to determine a®. Let 
e = e„_ie „_2 • • • eiCo be an n-bit exponent, G {0,1}, 0 < i < n, and let 
w{e) = Er=o weight of e. A simple analysis of the binary method 

shows that s squarings and w(e) — 1 multiplications are required, where s is the 
index of the most significant bit in e. Many general exponentiation algorithms of- 
fer complexity improvements over the binary method include the sliding-window 
method (HHECD for example), signed-digit representations [r21 )l I Dl I bl 1 3l23j . the 
signed-window method Lempel-Ziv recoding and the string replace- 
ment method 0 . The reader is advised to see m for a thorough survey. 



J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. .175- TTOl 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 
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The common approach of these and other methods is to ‘collect’ exponent bits 
according to some rule for reducing the weight of e, hence reducing the number 
of required multiplications. For example, k consecutive bits are collected to form 
a single digit in the 2^-ary method uni, and the binary signed-digit method 
0 replaces runs of two or more I’s with just two bits, one signed and one 
unsigned. We will refer to these and other rules for reducing the weight of e as 
a recoding rule. For a given recoding rule A let ca = et&t-i ■ ■ ■ &1&0 be the result 
of applying A to e, and let WA{e) = 7^ b] denote the recoded weight 

of Ca- Once the recoding rule is applied, a variant of the 6-ary method (6 not 
necessarily equal to 2^) can be used to complete the exponentiation, potentially 
after some precomputation has been done. In practice, the exponent recoding 
and arithmetic operations of the exponentiation are interleaved (see j I iSj for 
examples of specific algorithms). 

To analyse the computational saving of recoding e according to rule A, we 
are required to examine the distribution of WA{e), and also the cost of any 
precomputation implied by A. For the 2^-ary method, WA{e) is approximately 
binomial with parameters 6(n/fc, (2^ — l)/2^), and it is therefore reasonably 
understood. It is surprising however that in general other recoding methods 
are discriminated between solely on the basis of E[(wA(e)] and maxe?CA(e)) 
the average and worst case weight recodings respectively (see 1 1 7fSp23) for such 
comparisons). We assert that E[(?c^(e)] and maxeWA(e) provide information 
about the distribution of u’^(e), but without second order statistics, such as the 
variance, the accuracy and usefulness of this information is uncertain. 

In a recoding rule A that produces ca = CtCt-i ...eieo from e, often the 
defining properties of the ej are quite simple, such as Ci = 01^ (a run of I’s 
terminated by a 0, fc > 2) used in signed-digit recoding for example. This reflects 
the requirement that the recoding rule must be efficient, and also that simple 
recoding rules can be effective in reducing the cost of exponentiation. For many 
recoding rules of practical interest, the Ci can be represented as elements of a 
specified regular language HD], implying that the recoding can be performed by 
an appropriate deterministic finite automata (DFA). For example, the recoding 
rules presented in im are analysed in terms of their respective recoding DFAs. 

The main contribution in this paper is to propose a framework for analysing 
the weight distribution of recoding rules which can be described by regular lan- 
guages. For a recoding rule A, the basis of our analysis is to define a bivariate 
generating function (bgf) Ga{x, z) = J 2 n m>o such that 

Pr(?c^(e) — m | ^e — ?r) — 0.777,^71/2 , 

where /6e is the bit length of e. Thus f 2 n = {m \ am,n yf 0, 0 < m < n} and 
Pr(A77 = to) = will be the probability space describing the distribution 

of weights for n-bit exponents recoded according to A. For the binary method 
(BM), the relevant bgf (derived below) is 

I = I = Vx" V 




Gbm{x,z) 
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which indicates that the weights are distributed binomially, as expected. In gen- 
eral we will derive Ga(x, z) from a A by considering the recoding rules prescribed 
by A as being performed by a DFA, pass to regular languages, and then enu- 
merate the set of n-bit exponents whose recoded weight is m using standard 
combinatorial methods (see El p.377] or 0 p.342] for example). This analysis 
technique covers many recoding methods of practical interest, but, for example, 
does not include the Lempel-Ziv exponentiation method of Yacobi , since in 
this case the el are produced by the recoding are non-regular (a context-free 
grammar would be required). 

To demonstrate the generality of this approach, we analyse the weight distri- 
bution of recoded exponents for the 2^-ary method (©, sliding window method 
(fQ and the optimal signed-digit method (®- We analyse the 2^-ary method as 
it provides an obvious improvement over the binary method, and its analysis is 
instructive to the bgf approach. The sliding window method was selected since no 
satisfactory analysis exists (see [I 1 1 1 for partial results), and yet it is described 
as ‘the recommended method’ for general exponentiation fSl p.617]. We also se- 
lected the optimal signed-digit method 0 for analysis since this method and its 
variants are often suggested for performing elliptic curve scalar multiplication, 
since group inversion is essentially free [I t)l I till 7123) . For the 2^-ary {k,TKM), 
A:-bit sliding window {k, SW), and optimal signed digit {OSD) methods the bgfs 
for weight are as follows: 



Gk,TKM{x, z) = 
Gk,sw{x,z) = 
Gosd{x, z) = 



/ l-2'‘x^ _ 1-0:'= A I 

y l-2a; l-o: J 



1—x 



1 — x{2^ — l)x^ — x’^ ’ 

I - 2x + zx - zx’^2'^-^ 

{\ — X — zx^2^~^){l — 2x) ’ 

1 — x + xz -\ — 2zx^ -I- x'^z'^ 

I — 2x + x'^ — 2zx'^ + 2zx'^ ' 



( 2 ) 

( 3 ) 

( 4 ) 



Using standard transformations on bgfs we are able to obtain the numerical 
values of E[u>A(e)] and Var[wA(e)] for each bgf from (0 - 0), and thus make 
comparisons on the number of required multiplications for each method. Since 
the TKM approximates the binomial distribution b{n/k,{2^ — l)/2^), the ex- 
pectation and variance of Wk,TKM{G) can be approximated accurately. Similar 
computations for the sliding window method are difficult, but we have been 
able to show by direct calculation that E[i(;fe,siv(e)] ~ n/(fc -|- 1) -|- 
for n G {512,1024}, k G {2,3,... ,6}. We currently have no expression for 
Var[r(;fe^svv(e)] but we note that direct calculations show it to be small (for ex- 
ample less than 7 for 6-bit windows on 1024-exponents), and decreasing with k. 
The expectation and variance the OSD method can be analysed exactly, mainly 
because there is no window parameter k to complicate the analysis. We prove 
that E[wosi)(e)] = f + | - , and Var[u;osD(e)] = ^ + ^ + ^^ + o{l). 

The paper is organised as follows. In 0we review some concepts of regular 
languages, and give the principal enumeration theorems. In 0we derive the bgfs 
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for the binary and 2^-ary method, demonstrating our method of enumeration. In 
0we analyse the sliding window method, and then in we analyse the optimal 
signed digit method. Conclusions and open problems are presented in the last 
section. 

2 Regular Expressions and Generating Functions 

Regular expressions are defined recursively m as follows: if R and S are regular 
expressions then so is R+S (union), RS (concatenation) and R* (Kleene closure) 
where R* = J2k>o ~ e + ^ + RR + RRR + • ■ ■ . Also let denote the 
concatenation of r with itself k times, and let r'*' = r* — e. Over a binary 
alphabet we will call a fc-run, fc > 1, and any word uj that is a fc-run will also 
be simply referred to as a run. 

A regular expression R generates words tu = wiW 2 • • ■ Wn, Wi G A, and uj is 
said to have length n, written as = n. The set of all words generated by the 
regular expression R, denoted by Lr, is called the regular language generated, or 
given, by R. Let C L/j denote the set of words in of length n > 0. We will 

say that the (ordinary) generating function Gr{x) = X)n>o enumerates 
by length if a„ = for all n > 0. Let [a;"] be the operator that extracts the 
coefficient of a;", so that [a;"]G/j(a;) = a„. It is clear that the regular expression 
R = (1 + 0)* generates the language Ln which is the set of all binary strings, and 
since |L^| = 2”, Lji is enumerated by the geometric series Gr{x) = 1/(1 — 2a;). 
The key property that permits Gr{x) to be derived from R directly is given in 
the next definition. 

Definition 1. A regular expression R is unambiguous if there is only one way 
for R to generate each oj G Lr. □ 

For example (1 + 0)* is unambiguous, but (1 + 0 + 10)* is ambiguous since the 
string oa = 10 can be generated by concatenating 1 and 0, or simply selecting 
10. Since it is known that any regular language can be generated by an unam- 
biguous regular expression p.378], the following theorem due to Chomsky 
and Schutzenberger will be our main enumeration tool. 

Theorem 2. Let R and S be unambiguous regular expressions, that are enu- 
merated by the gfs Gr{x) and Gs{x). Then if i? + S', RS and R* are also 
unambiguous, Gr{x) + Gs{x) enumerates R+S, Gr{x)Gs{x) enumerates RS, 
and 1/(1 — Gr{x)) enumerates R* . □ 

Recall that our goal is to determine the bgf Ga{x,z) = m>o 
such that am,n is the number of n-bit exponents recoded to weight m by algo- 
rithm A. Fortunately TheoremElcan also be applied to these bgfs since for the ex- 
ponent recoding algorithms under consideration there exists a representation of 
the algorithms in terms of regular expressions for which w{R+S) = w{R) + w{S) 
and w(RS) = w(R)w(S). We restate this result formally as a corollary to The- 
orem 0 
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Corollary 3. Let R and S be unambiguous regular expressions, that are enu- 
merated by the bgfs Gr{x,z) and Gs{x,z). Then ii R + S, RS and R* are 
also unambiguous, w{R + S) = w{R) + w{S), and w{RS) = w{R)w{S) then 
Gr{x,z) + Gs{x,z) enumerates R+ S, Gr{x, z)Gs{x, z) enumerates RS, and 
1/(1 — Gr{x,z)) enumerates R* . □ 



An advantage of using Ga{x,z) for enumeration is that the expectation and 
variance of wa{G) can be directly determined from manipulating Ga{x, z). Using 
standard operations on bgfs (see for example p.l38]) we have that 



E[wa(c)] 

Var[wA(e)] 



/ dGA(x/2,z) 
V dz 
^ 0'^Ga{xI2,z) 



d'^z 

”]( 



dGA{x/2,z) 



dz 



/ dGA{x/2,z) 
dz 



( 5 ) 

( 6 ) 



where [x^]G{x) is the coefficient of a;” in G{x). Thus E[wA(e)] and Var[?ii^(e)] 
can be extracted by several differentiations of Ga{x,z) with respect to z, and 
determining the coefficient of x" after setting z = 1. 



3 The Binary and 2^-ary Methods 

As examples of the techniques presented in the previous section, we now derive 
Gbm{x,z) given in (Q for the binary method, and also Gk,TKM{x, z) for the 
2^-ary method given in 0- First observe that the binary method processes the 
exponent bit-by-bit, so the relevant regular expression is R = (1-1-0)*, which 
clearly generates all binary strings unambiguously. Second, marking (1-1-0) for 
length and weight gives zx+x, and Corollary [^indicates that R is enumerated by 
Gbm{x, z) = 1/(1 — (zx-l-x)), as shown in (0. Though the 2^-ary method (TKM) 
is a natural extension of the binary method, the derivation of Gk,TKM{x, z) is 
more complicated than that of Gbm{x,z). 

Theorem 4. Let an,m be the number of binary strings of length n for which 
the TKM-recoding using fc-bit windows has weight m, 0 < m < n. Then 

/ l-2’‘x^ _ l-x’‘ \ I l-x’’ 
y l-2x l-x J “I" l-x 

1 — x(2'^ — l)x^ — x^ 

Proof. Consider the following regular expression 



Gk,TKM{x,z)= ^ an,mX'^z"' = 
n,m>0 



k-1 



e + ^l(l + 0)» 



R=R\R^ = ((1 + 0)'=) 
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n 


k 


E[wfe,TMic(e)] 


Var[tCfc,TMK(e)] 


0.50 


0.60 


0.75 


0.90 


0.95 


0.99 


512 


3 


149.5 


18.8 


7 


7 


9 


14 


20 


44 


512 


4 


120 


7.5 


4 


5 


6 


9 


13 


28 


512 


5 


99.6 


3.3 


3 


3 


4 


6 


9 


19 


512 


6 


84.4 


1.5 


2 


2 


3 


4 


6 


13 


1024 


3 


298.8 


37.5 


9 


10 


13 


20 


28 


62 


1024 


4 


240 


15 


6 


7 


8 


13 


18 


39 


1024 


5 


198.6 


6.2 


4 


4 


5 


8 


12 


25 


1024 


6 


168.3 


2.7 


3 


3 


4 


6 


8 


17 



Table 1. The 2^-ary encoding distributions for 512- and 1024-bit 
exponents. The columns show the value of a{wk,TMK(e),p), p G 
{0.50, 0.60, 0.75, 0.90, 0.95, 0.99}. 



R* generates all binary A:-bit windows repeatedly, while i ?2 generates all binary 
strings of length less than k. Ri is marked for length and weight as 

Gr,{x,z) = z{2>^-1)x’^+x’^ ( 8 ) 

which denotes that all windows have length k, and all windows except one (the 
all-zero window) cost one multiplication in TKM. The marking for i ?2 is as 
follows 



Gr 2 {x,z) = z 



/I - 2’^x'^ 
l-2a; 



l-a;'= 
1 — X 



1-x^ 

1 — X ' 



( 9 ) 



Note that (1 — 2^x^)/(l — 2x) — (1 — x^)(l — x) is the number of binary strings 
of length less than k that are niether empty or all-zero. These strings each cost 
a multiply in the TKM. The (1 — x^)/{l — x) empty or all-zero strings cost no 
multiplies. The theorem follows from simplifying Gr-^{x, z)Gr 2 {Xi z). □ 



Using m and (0, both 'E[wk,TKM{e)] and Var[wfe,TifM(e)] can be determined 
for various values of k and n using a symbolic computation package (we have 
elected to use Maple P). Recall that Chebyshev’s inequality bounds the de- 
viation of a random variable X from its mean /r in terms of its variance a^: 
Pr(|X — ^1 > d) < jd?. Then define a{X,p) as 



a{X,p) = min 

d 



^<a-p) 



( 10 ) 



which states that d is the smallest for which Pr(|X — < d) > p according 

to bounds derived by Chebyshev’s inequality. Table P shows the distribution of 
TKM recoding weights for various value of k for 512- and 1024-bit exponents, 
and also the deviations a{wk,TKM{d),p) for several probabilities p. 
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4 The Sliding Window Representation 



The sliding-window method mu is a variant of the 6-ary method uni, and is 
the ‘recommended method’ for general exponentiation fTH p.617]. When 6 = 2'', 
the 2^-ary method can be considered as parsing an exponent e into adjacent 
A:-bit windows, where the window covering the least significant bit may be less 
than k bits. The idea of the sliding- window method is to select the placement 
of each k-hit window so that its most and least significant bit are equal to 
one. The advantage of such a partition over the 2^-ary method is twofold: first 
the number of windows is expected to be reduced as runs of zeroes may occur 
between consecutive windows, and secondly, the amount of precomputation is 
halved as the windows only represent odd powers. We now derive Gk,sw{x, z), 
the bgf for the sliding window encoding of exponents using fc-bit windows. 



Theorem 5. Let be the number of binary strings of length n for which 
the SW-recoding using A:-bit windows has weight m, 0 < m < n. Then 



Gk,Sw(x,z)= ^ an,mX^z'^ 
n,m>0 



l - 2x + zx - zx’^2^-^ 

(1 — a; — za;^2^“^)(l — 2a;) 



( 11 ) 



Proof. Consider the following regular expression 

( k-2 \* / 

0 -1- 10'=-^ + XI ^('^ + I I e X 1(1 + 0)* 

i=0 / V i=l 

R\ generates words of length k that start and end with 1, and also the single 
word 0. Clearly then generates all words corresponding to A:-bit windows 
separated by runs of zeroes. i?2 generates either the empty string or a word 
beginning with 1, of length less than fc, which corresponds to the case where the 
last there are not k—1 bits following the most significant bit of the last window. 

We now mark Ri for length and weight: 0 is marked x, 10^“^ is marked za;^ 
meaning it has length k and corresponds to one nonzero digit in the recoding, 
and 1(0 -I- is similarly marked as za:*“''^(a; -|- x)^~^ . Using the same 

rules for i?2 we have that 




Gr^ {x, z) = x + zx’' + zx^ X - = x + zx^ + zx^2^" ^ (2 - 2^ '=) , 

^ a; -I- a; r ' ' 

i=o ' ’ 

( 1 — a;^“^2^“^ 

1 - 2a; 

The theorem follows from simplifying Gr^ (a;, z)Gr^ {x, z). □ 

Using a{X,p) from (1 1 1 )ll we can again bound the distribution of weights, which 
are given in Table 0 for 512-, 768- and 1024-bit exponents. Notice that the ex- 
pectations are very close to n/ (k + 1), a,s previously observed by Hui and Lam 
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n 


k 


n/{k -k 1) 


E[wfc,svv(e)] 


Var[wfc,sw(e)] 


0.50 


0.60 


0.75 


0.90 


0.95 


0.99 


512 


4 


102.4 


102.6 


8.3 


5 


5 


6 


10 


13 


29 


512 


5 


85.33 


85.6 


4.8 


4 


4 


5 


7 


10 


23 


512 


6 


73.14 


73.4 


3.1 


3 


3 


4 


6 


8 


18 


512 


7 


64 


64.3 


2.1 


3 


3 


3 


5 


7 


15 


1024 


4 


204.8 


205.0 


16.5 


6 


7 


9 


13 


19 


41 


1024 


5 


170.67 


170.9 


9.6 


5 


5 


7 


10 


14 


31 


1024 


6 


146.3 


146.6 


6.1 


4 


4 


5 


8 


12 


25 


1024 


7 


128 


128.3 


4.1 


3 


4 


5 


7 


10 


21 



Table 2. fc,SW encoding distributions for 512- and 1024-bit exponents. The 
columns show the value of a{wk,sw{^),p), P G {0.50, 0.60, 0.75, 0.90, 0.95, 0.99}. 



El. and that the variances are quite small. We now consider the case of k = 5 
explicitly, which is of interest since it is the optimal window size for the 2^-ary 
method on 512-bit exponents. 



Theorem 6. For a random n-bit exponent and 5-bit windows 

7 ? ^ 77 ^ 

nw,,sw{e)] - g + VarK.SU.(e-)] - (12) 



Proof. Taking the partial derivative of Gk,sw{x, z) with respect to z, setting 
k = 5, and expanding with partial fractions we find that 



dG5^sw{x,z) 



dz 



z—l.k—b 



1 ^ 1 
6(l-2x)2 9(1 -2a;) 

(n -I- l)(2a;)" ^ ^ 

n>0 ^ n>0 



5 -I- 3x — 2x^ — 

8x"^ + 4a;3 -I- 2x^ -I- a; -I- 1 

+ ^ 0(1.77") (13) 

n>0 



where 1.77 is the complex root with largest modulus in a;^ -I- a;^ -I- 2a;^ -I- 4a. -I- 8, 
which is the reflected polynomial [3 p.325] of 8x^ + 4a^ -I- 2a:^ -I- a: -I- 1. The 
second derivative with respect tozatz = l,fc = 5 has the partial fraction 
decomposition 



d'^G5^sw(x,z) 

d^z 



z—l,k—b 



E 

n>0 



{n+l){n + 2){2x)^ 
36 



-kn- ^0(1.77"). 

n>0 



E 

n>0 



4(n-k l)(2a)" 
27 



Thus using 0 and (0, the variance is asymptotic to n/108 -I- 35/324. □ 



Using similar computations as in Theorem 0 we have verified the following the- 
orem. 

Theorem 7. For k in the range 2 < A: < 10, Eilwk^swie)] n/(A:-|- 1) -k ■ 
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We are currently working on extending the proof of the above theorem to all 
k and n, which involves proving certain terms in the partial fraction expan- 
sion of E[wfe_svv(e)] tend to zero with n. At present we have no expression for 
Var[wfe_srv(e)]) but note that in general it is small, meaning that the distribution 
is concentrated around its mean. For example, expanding G^^swix, z) directly 
for 512-bit exponents shows that 99.6% of exponents will be recoded to a weight 
that lies with ±6 of E[u> 5 ^svv(e)]. Similarly, 99.998% of 512-bit exponents are 
recoded to within ±10 of E[w 5 _svv(e)]. 



5 Signed-Digit Representations 

A signed-digit representation of the number e in base b is of the form e = 
where Ui € {0, ±1, ±2, . . . , ±(6 — 1)}, implying that binary numbers 
are consequently encoded using the digits {0, 1,-1 = 1}. In general, the signed- 
digit representation of a number for a fixed base is not unique, and even the 
encoding of minimal weight need not be unique. An algorithm for producing 
minimal a weight signed-digit encoding for a general base b is given by Arno and 
Wheeler 0. 

Working with negative exponents requires group inversions, which can be 
costly over some groups if the appropriate inverses cannot be precomputed. 
On the other hand, signed-digit representations are particularly attractive for 
arithmetic over elliptic curves, since they correspond to addition-subtraction 
chains, and point addition and subtraction on cryptographic curves have the 
same cost in terms of group operations H 911 611712, ■II . 

Definition 8. Let e = G {0,1,— 1 = 1} be a minimal weight 

signed-digit encoding of e. The encoding is called sparse if no two consecutive 
digits ai,Ui+i are both nonzero. 

Jedwab and Mitchell H21 prove that sparse encodings are unique and have min- 
imal weight. The algorithm in Figure [D converts e to a sparse encoding HZ! by 
repeatedly applying the identity 2^+^ — 1 = J2i=o 2^- This guarantees spareness 
since adjacent bits are encoded as 10 • • • Ol, and for this reason sparse exponents 
are also said to be in nonadjacent form m We will refer to exponents recoded 
according to Figure Q] as Optimal Signed Digit encodings, or OSD recodings. 

Asymptotic results indicate that the weight of an OSD-encodings approaches 
n/3 for a random n-bit exponent jl,'lll6l2j . It was only recently (1996) that the 
exact analysis was given by Gollman, Han and Mitchell 0 who proved that the 
expected weight is n/3 — 4/9 — Previously, Arno and Wheller 0 exhibit 

a Markov chain P that mimics an OSD-encoding algorithms, whose limiting 
distribution for the expected number of zeros in the resulting encoding is 
We now derive Gosd{x, z) from which we will determine the variance of an 
OSD-encoding. 
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i <— 0 ; 
while true 

Find the largest j > {i + 1) such that e' = Cj, ej-i , ... , ei = 01^“* 
if there is no such j then exit ; 
else replace e' with i <— j ; 

od 



Fig. 1. An algorithm for producing a sparse signed-digit representation of a 
binary number. 



Theorem 9. Let an,m be the number of binary strings of length n for which 
the OSD-recoding has hamming weight m, 0 < m < n. Then 



GoSd{x,z)= ^ an,mX'^z"" 
n,m>0 



1 — X + xz -\ — 2zx^ + x^z^ 
l — 2x + x'^ — 2zx'^ + 2zx^ ' 



(14) 



Proof. The proof is based on the following two regular expressions 



i?i = 10(10)*0, 

i?2 = ((10)+ll+0 -h ll+0)(l+0)*0, 



which describes how bits are propagated between runs of runs separated by at 
most one 0. Further details are given in the Appendix. □ 



Using a{X,p) from II 1 1 )ll we can again bound the distribution of weights, which 
are given in Tabled for 512-, 768- and 1024-bit exponents. 



Theorem 10. For a random n-bit exponent, we have that 



r /-M ^ 

E[uiosi)(e)] = - -h 



4 

9 



4(-l)" 
9-2" ’ 



Var[wosD{e)] = 



2n 



14 



2n 

27-2" 



0 ( 1 ). 



Proof. The partial fraction decomposition of the derivative of Gosd{x, z) at 
z = 1 is 



dGk,sw{x, z) 
dz 



3(l-2a;)2 9(l-2a;) 18(l-kx) 2(1 - x) 



(15) 



giving that E[u>osn(e)] = n/3-|-4/9 — The partial fraction decomposition 
for the second derivative Gosd{x, z) at z = 1 is 



d‘^Gk,sw{x,z) 

d^z 



9(l- 2x)3 27(1 -kx)2 27(1 - 2x)2 



(16) 



for which [x”]/2” is (n-|-l)(n-|-2)/9 — 8(n-|-l)/27 — Then Var[u>osn(e)] 
is determined directly from (E|. □ 
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E[u;osD(e)] 


Var[woso(e)] 


0.50 


0.60 


0.75 


0.90 


0.95 


0.99 


512 


171.1 


38.1 


9 


10 


13 


20 


28 


62 


768 


256.4 


57.1 


11 


12 


16 


24 


34 


76 


1024 


341.7 


76.0 


13 


14 


18 


28 


39 


88 



Table 3. OSD-encoding distributions for 512-, 768- and 1024-bit exponents. The 
columns show the value of a{wosD{e),p), p G {0.50,0.60,0.75,0.90,0.95,0.99}. 



6 Comparisons and Conclusions 

In this paper we have analysed three recoding rules for improved exponentiation 
over the binary method. The analysis is thorough in that for the methods con- 
sidered it is possible to extract both the expectation and variance of the random 
variable describing the recoded weight. In several of the cases we have derived 
closed forms for these statistics with respect to the recoding scheme. 

It remains to draw comparisons between the three recoding methods. We 
will only discriminate on the basis of the number of multiplications required 
by a method, since the number of squaring required by the 2^-ary and sliding 
window methods will be similar, and even taking squarings into account, the 
OSD method is significantly slower. The 2^-ary method requires TMK{k) = 
2^ -I- Wk,TKM{e) — 4 multiplications m, and the A:-bit sliding window method 
requires SW (k) = 2’^~^+Wk,sw(e)—2 multiplications. The OSD method requires 
at least wosd{g) — 1, not counting any precomputation. 

For 512-bit exponents, the optimal window size is fc = 5 for both the TKM 
and SW methods, yielding an average multiplication cost of 127.8 and 100.3 
respectively. Thus on average the optimal sliding window method only performs 
about 78% of the multiplies that the optimal 2^-ary method performs. From 
Tables n and El since TMK{k) < 127.8-1- 19 = 146.8 over 99% of the time, and 
SW{k) > 100.3 — 23 = 77.3 over 99% of the time, the optimal sliding window 
method will perform over 52% of the multiplications required by the optimal 2^- 
ary method for most exponents. For the majority of exponents SW (k) < 100.3-1- 
4 = 104.3, while the majority of exponents require TMK{k) > 127.8 — 3 = 124.8 
multiplications, meaning that the optimal sliding widow method requires less 
than 84% of the multiplications required by the optimal 2^-ary method for a 
majority of exponents. Further, from Table 0 we find that over 90% of OSD 
exponents require at least 170 — 20 = 150 multiplications, implying that the 
optimal sliding window only performs less than 70% of the multiplication that 
OSD requires. 

Similarly, the optimal sliding window method is superior to the optimal 2^- 
ary method for 1024-bit exponents, as it is to the OSD method. In this case 
the optimal window size for the sliding window method is A: = 6, while it is 
A: = 5 for the 2^-ary method. Again from Tables d and El for the majority of 
exponents SW{k) < 177.3 -I- 4 = 181.3, while the majority of exponents have 
TMK{k) > 226.6 — 4 = 224.6, meaning that the optimal sliding widow method 
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requires approximately 80% of the multiplications required by the optimal 2^-ary 
method for a majority of exponents. With high probability the optimal sliding 
window method performs at least 60% of the multiplications required by the 
optimal 2^-ary method, and with almost certainty performs less than 60% of the 
multiplications required by the OSD method. 

Even more accurate statements can be made if the generating functions are 
expanded, and probabilities computed directly. In the case of 512-bit exponents 
and k = 5 bit windows, both the sliding window and 2^-ary methods deviate 
from their expected weights by more than ±10 with probability less than 10“'*. 
Further the majority of exponents deviate by less than ±1 from their expected 
weight. 

OSD recoded exponents tend to a weight of approximately n/3 on average. 
This weight cannot be significantly reduced since smaller weight exponents de- 
pend on longer runs of I’s occuring in the original exponent, but a run of length 
k has probability 2“^. One advantage of the OSD coding is that little space 
is required for precomputation, and if inverses can be computed quickly then 
the OSD method may be attactive, say for elliptic curve computations on smart 
cards. 

7 Appendix 



Proof of Theorem |3 

Let e = eoei • • • e„_2e„_i, e = 6i2*, be an n-bit exponent, written left-to- 

right as low order to high order bits. OSD-recoding can be interpreted as initially 
partitioning an exponent e into blocks 

e = 610^^620^" • • • 0^‘-=6t_i0^‘6t, (17) 

where jd > 0, 1 < d < t. Each bi, 1 < i < t, consists of runs separated by a 
single zero, where the last run ends in two zeros, which for example might be 100 
or 1011100. Also bt is similar except that the last run is followed by either one 
or no zeroes. Note that since the bi and are separated by at least two zeroes 
then the recoding of bi and according to Figure Q will be independent. 

The regular expression (l+0)*0 generates words containing runs separated by 
a single zero, where the last run ends in two zeros. The next step is to determine 
if the trailing pair of zeros after bi,l < i < t, is encoded as 10 or 00. In the first 
case we will say that a carry has propagated to the second most significant zero, 
or more simply, that a carry is present bi. The main observation is that a carry 
will be present if and only if bi contains 110. We define the following two regular 
expressions to detect the presence of a carry: 

i?i = 10(10)*0, 

i?2 = ((10)+ll+0 ± ll+0)(l+0)*0. 

Here i?i generates words with no carry, and R 2 generates words with carry (110 
is present). Thus i?3 = (0 ± i?i ± R 2 )* generates all blocks in llivil except bt- 
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Note that the OSD-encoding of each bi is length preserving and if = k the 
it is enumerated as where m = #(runs in bi) + [110 is present in bi]. The 
gfs for i?i and i ?2 can be derived directly as 



GlAx,z) 

Gl2{x,z) 



zx^ 

1 — zx 

zx^ 

\ — X 




zx^ \ 
1 — zx"^ ) 



1 

^-{.zxA/A 



■ xz. 

x) 



and GlAx^z) = 1 / {1 — x — G lA'^^ z) — Gl^A^ z)). It remains to enumerate block 
bt which is generated by the regular expression R 4 = (1+0)*1*. Expanding i ?4 
so that it can be marked for length and weight we obtain 



i ?4 = (10)*(e + 1 + 11) + 110+(1+0)*1* + (10)+11+0(1+0)*T 



i ?4 is similar to R 3 , and GlA^^z) is derived in a manner similar to GlAx^z). 
The theorem follows from simplifying Gl 4 ,{x, z)GLe(x, z). 

□ 
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Abstract. Using a random deal of cards to players and a computation- 
ally unlimited eavesdropper, all players wish to share a one-bit secret key 
which is information-theoretically secure from the eavesdropper. This can 
be done by a protocol to make several pairs of players share one-bit se- 
cret keys so that all these pairs form a spanning tree over players. In 
this paper we obtain a necessary and sufficient condition on the number 
of cards for the existence of such a protocof. Our condition immediateiy 
yieids an efficient finear-time algorithm to determine whether there exists 
a protocol to achieve such a secret key sharing. 



1 Introduction 

Suppose that there are k (> 2) players Pi,P2, • ■ ■ ,Pk and a passive eavesdrop- 
per, Eve, whose computational power is unlimited. All players wish to share a 
common one-bit secret key that is information-theoretically secure from Eve. Let 
C be a set of d distinct cards which are numbered from 1 to d. All cards in C are 
randomly dealt to players Pi,P2, - ■ ■ ,Pk and Eve. We call a set of cards dealt to 
a player or Eve a hand. Let Ci C C he Pi’s hand, and let Ce C C be Eve’s hand. 
We denote this deal by C = (Ci, C2, • • • , Ck] Ce). Clearly {Ci, C2, • • • , Ck, Ce} is 
a partition of set C. We write Ci = \Ci\ for each 1 < i < k and Ce = |Ce|, where 
|A| denotes the cardinality of a set A. Note that ci, C2, • • • ,Ck and Ce are the sizes 
of hands held by Pi, P2, • ’ ’ jPk and Eve respectively, and that d = Ci + Ce- 
We call 7 = (ci, C 2 , • • • ,Ck',Ce) the signature of deal C. In this paper we assume 
that Cl > C2 > • • • > Cfe; if necessary, we rename the players. The set C and the 
signature 7 are public to all the players and even to Eve, but the cards in the 
hand of a player or Eve are private to herself, as in the case of usual card games. 

We consider a graph called a key exchange graph, in which each vertex i 
represents a player Pi and each edge (z,j) joining vertices i and j represents a 
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Fig. 1. A generating process of a key exchange graph. 



pair of players Pi and Pj sharing a one-bit secret key G {0, 1}. (See Figure 

Refer to 0 for the graph-theoretic terminology. If the key exchange graph 
is a spanning tree as illustrated in Figure 0(e), then all the players can share a 
common one-bit secret key r G { 0 , 1 } as follows: an arbitrary player chooses a 
one-bit secret key r G {0, 1}, and sends it to the rest of the players along the 
spanning tree; when player Pi sends r to player Pj along an edge {i,j) of the 
spanning tree, Pi computes the exclusive-or r 0 of r and and sends it to 
Pj, and Pj obtains r by computing (r 0 ) 0 . 

For the case k = 2, Fischer, Paterson and Rackoff give a protocol to form a 
spanning tree, i.e. a graph having exactly one edge as the key exchange graph 
by using a random deal of cards 0 . 

Fischer and Wright ps] extend this protocol for any k >2, and formalize a 
class of protocols called “key set protocols,” a formal definition of which will be 
given in the succeeding section. Furthermore they give the so-called SFP protocol 
as a key set protocol. We say that a key set protocol works for a signature 7 
if the protocol always forms a spanning tree as the key exchange graph for any 
deal C having the signature 7 12131415161 ■ F be a set of all signatures, where 
the number k of players and the total number d of dealt cards are taken over all 
values. Define sets W and L as follows: 



VF = {7 G F I there is a key set protocol working for 7 }; and 

F = {7 G F I there is no key set protocol working for 7 }. 

Thus {W,L} is a partition of set F. Fischer and Wright show that their SFP 
protocol works for all 7 G kF m- Furthermore they prove that a sufficient 
condition for 7 G VF is Cfc > 1 and ci 0 Cfc > Ce 0 k. They also show that it is 
a necessary and sufficient condition for the case k = 2 m- However, a simple 
necessary and sufficient condition for the case fc > 3 has not been known so far 

m- 

Since the SFP protocol works for all 7 G W, one can determine whether 
7 G kF or not by simulating the SFP protocol for 7 . However, it is necessary to 
simulate the protocol for all “malicious adversaries,” and hence the time required 
by this simulation is exponential in k and such a simulation is impractical. 

In this paper for the case A: > 3 we give a simple necessary and sufficient 
condition on a signature 7 for the existence of a key set protocol to work for 7 . 
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Given a signature 7 = (ci, C2, • • • ,Ck',Ce), one can easily determine in time 0{k) 
whether 7 satisfies our condition or not. Thus our condition immediately yields 
an efficient linear-time algorithm for determining whether there exists a key set 
protocol to work for a given signature 7. Our condition looks in appearance to 
be similar to the condition for a given degree sequence to be “graphical,” and 
the proof for our condition is complicated as well as those for a degree sequence 



moim] 



2 Preliminaries 

In this section we explain the key set protocol formalized by Fischer and Wright, 
and present known results on this protocol |‘2|3fltij . 

We first define some terms. A key set K = {x, y} consists of two cards x and 
y, one in Ci, the other in Cj with i ^ j, say x G Ci and y G Cj. We say that a 
key set K = {x,y} is opaque if 1 < *,j < fc and Eve cannot determine whether 
X G Ci or X G Cj with probability greater than 1/2. Note that both players Pi 
and Pj know that x G Ci and y G Cj. If K is an opaque key set, then Pi and 
Pj can share a one-bit secret key G {0,1}, using the following rule agreed 
on before starting the protocol: r^- = Q if x > y, Vij = 1, otherwise. Since Eve 
cannot determine whether Vij = 0 or = 1 with probability greater than 1/2, 
the secret key is information-theoretically secure. We say that a card x is 
discarded if all the players agree that x has been removed from someone’s hand, 
that is, X ^ (Ufci C'i) U Ce- We say that a player Pi drops out of the protocol if 
she no longer participates in the protocol. We denote by V the set of indices i of 
all the players Pi remaining in the protocol. Note that V = {1,2, ■■■ ,k} before 
starting a protocol. 

The key set protocol has four steps as follows. 

1. Choose a player Pg, s S E, as a proposer by a certain procedure. 

2. The proposer Pg determines in mind two cards x, y. The cards are randomly 

picked so that x is in her hand and y is not in her hand, i.e. x G Cg and 
y S (UiGy-{s} Then Pg proposes K = (a;, y} as a key set to all the 

players. (The key set is proposed just as a set. Actually it is sorted in some 
order, for example in ascending order, so Eve learns nothing about which 
card belongs to Cg unless Eve holds y.) 

3. If there exists a player Pt holding y, then Pt accepts K. Since K is an opaque 
key set, Pg and Pt can share a one-bit secret key Vgt that is information- 
theoretically secure from Eve. (In this case an edge (s, t) is added to the key 
exchange graph.) Both cards x and y are discarded. Let Pi be either Pg or 
Pt that holds a smaller hand; if Pg and Pt hold hands of the same size, let Pi 
be the proposer Pg. Pi discards all her cards and drops out of the protocol. 
Set V :=V — (ij. Return to step 1. 

4. If there exists no player holding y, that is. Eve holds y, then both cards x 
and y are discarded. Return to step 1. (In this case no new edge is added to 
the key exchange graph.) 
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These steps 1-4 are repeated until either exactly one player remains in the 
protocol or there are not enough cards left to complete step 2 even if two or more 
players remain. In the first case the key exchange graph becomes a spanning tree. 
In the second case the protocol fails to form a spanning tree. 

We now illustrate the execution of the key set protocol. Let 7 = (3, 2, 2, 2; 1) 
be the signature before starting the protocol. Thus there are four players Pi, P 2 , 
PsjPi and Eve; P\ has a hand of size 3, P 2 , P 3 and P 4 have hands of size 2, 
and Eve has a hand of size 1 . At the beginning of the protocol the key exchange 
graph has four isolated vertices and has no edge, as illustrated in Figurenja). In 
Figure ^ a white circle represents a vertex corresponding to a player remaining 
in the protocol, and the number attached to a white circle represents the size 
of the corresponding player’s hand. Suppose that P 4 is chosen as a proposer in 
step 1. In Figure Ha double white circle represents the vertex corresponding to 
a proposer. In step 2, P 4 proposes K = {x,y} such that a; S C 4 and y ^ C 4 . 
Assume that y G C 3 . Then step 3 is executed, P 3 and P 4 share a one-bit secret 
key rs 4 , and edge (3,4) is added to the key exchange graph, as illustrated in 
Figure ni(b). Since both cards x and y are discarded, the sizes of hands of both 
P 3 and P 4 decrease by one. Further, since the size of P 3 ’s hand was the same 
as that of P 4 ’s hand, the proposer P 4 discards all her cards and drops out of 
the protocol. Thus the resulting signature is 71 = (3, 2, 1; I). In Figure [Da black 
circle represents a vertex corresponding to a player who has dropped out of the 
protocol. We now return to step 1. Assume that P 2 is chosen as a proposer and 
y G Ce- Then step 4 is executed, and the sizes of hands of both P 2 and Eve 
decrease by one. Thus the resulting signature is 72 = (3,I,1;0), and no new 
edge is added to the key exchange graph, as illustrated in Figure Qc). Since step 
4 terminates, we now return to step 1. Assume that Pi is chosen as a proposer 
and y G C 3 . Then edge (1,3) is added to the key exchange graph as illustrated 
in Figure Hd). Since the size of Pi’s hand decreases by one and P 3 drops out 
of the protocol, the resulting signature is 73 = (2, 1; 0). We now return to step 
1. Assume that P 2 is chosen as a proposer. Then y G C\ because only Pi and 
P 2 remain in the protocol and Eve’s hand has already been empty. Thus edge 
( 1 , 2 ) is added to the key exchange graph, and the key exchange graph becomes 
a spanning tree, as illustrated in Figure O^e). Thus the protocol terminates. As 
seen from the example above, during the execution of the key set protocol, each 
connected component of the key exchange graph always has exactly one vertex 
(drawn in a white circle) corresponding to a player remaining in the protocol. 

Considering various procedures for choosing the proposer Pg in step 1, we 
obtain the class of key set protoeols. 

First consider the procedure in step 1 for the case k = 2. Fischer, Paterson 
and Rackoff show that, if the procedure always chooses the player with the larger 
hand as a proposer Pg , then the resulting key set protocol works for any signature 
7 = (ci, C 2 ; Ce) such that C 2 > 1 and Ci -I- C 2 > Ce -I- 2 | 2 |. On the other hand, 
one can easily see that if there exists a key set protocol working for a signature 
7 = (ci, C 2 ; Ce) then C 2 > 1 and ci -I- C 2 > Cg -I- 2. Thus the following Theorem Q 
holds 0 . 
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Theorem 1. PI Let k = 2. Then 'y G W if and only ifc 2 > 1 and C 1 -I-C 2 > Ce-|-2. 

Next consider the procedure in step 1 for the case fc > 3. As a key set 
protocol, Fischer and Wright give the SFP (smallest feasible player) procedure 
which chooses the “feasible” player with the smallest hand as a proposer p^m- 
Let 7 = (ci,C2,-- - ,Ck]Ce) be the current signature. If Ce > 1, Pi with Ci = 1 
were chosen as a proposer, and y G Ce occurred, then Pfs hand would become 
empty although she remains in the protocol, and hence the key exchange graph 
would not become a spanning tree. On the other hand, if Cg = 0, then y G Cg 
does not occur and hence the procedure appears to be able to choose Pi with 
Ci = 1 as a proposer; however, if y G Cj and Cj = 1, then Pj's hand would 
become empty and hence the key exchange graph would not become a spanning 
tree. Thus the procedure can choose Pi with Ci = 1 as a proposer only when 
Ce = 0 and Cj > 2 for every j such that 1 < j < k and j ^ i^ that is, only when 
i = k and Ck-i > 2. Remember that ci > C2 > • • • > Cfe is assumed. Hence, we 
say that player Pi is feasible if the following condition (1) or (2) holds. 

(1) c, > 2. 

(2) Ce = 0, Ci = 1 with i = k, and Ck-i > 2. 

Thus, if the hands of all the players remaining in the protocol are not empty, 
i.e. Cfc > 1, and the proposer P, is feasible, then the hands of all the players 
remaining in the protocol will not be empty at the beginning of the succeeding 
execution of steps 1-4. 

We define a mapping / from P to natural numbers, as follows: /(y) = i if 
Pi is the feasible player with the smallest hand (ties are broken by selecting 
the player having the largest index); and /(y) = 0 if there is no feasible player. 
For example, if y = (4, 3, 2, 2, 1, 1; 3), then /(y) = 4. If y = (4, 4, 3, 3, 1; 0), then 
/(y) = fc = 5 because Ce = 0, c^ = 1 and Cfc-i > 2. If y = (1,1,1; 2), then 
/(y) = 0 because there is no feasible player. Hereafter we often denote /(y) 
simply by /. 

From now on let y = (ci, C2, • • • , Cfc; Cg). Note that the definition of / imme- 
diately implies the following Lemma El LemmaEI(a) provides a trivial necessary 
condition for y G W. 

Lemma 2. The following (a) and (b) hold. 

(a) If k > 3 and y G W, then Cfc > 1 and /(y) >10- 

(b) If Ck > 1, then Ci = 1 for every i such that /(y) -|- 1 < j < fc. 

The SFP procedure chooses a proposer Pg as follows: 

^ _ / fil) if 1 < fil) < k] 

X 1 if /(7) = 0. 

The key set protocol resulting from this procedure is called the SFP protocol. 
The following Theorem E| has been known on the SFP protocol |,3lbj . 
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Theorem 3. m Let 7 G T. Then there exists a key set protocol working for 
7 , i.e. 7 G W, if and only if the SFP protocol works for 7 . 

Furthermore the following Lemma 0 is known on a sufficient condition for 
7 G VF m . 

Lemma 4. j3IB] // Cfc > 1 and ci + Ck > Ce + k, then 7 G W. 

The sufficient condition in Lemma 0 is not a necessary condition in general. 
For example, 7 = (3,3,2,1;1) does not satisfy the condition in Lemma El but 
the SFP protocol works for 7 and hence 7 G VF m- In this paper we obtain 
a simple necessary and sufficient condition for 7 G kF for any fc > 3. As shown 
later, 7 = (3, 3, 2, 1; 1) satisfies our necessary and sufficient condition. 

3 Necessary and Sufficient Condition 

For fc = 3, we obtain the following Theorem El on a necessary and sufficient 
condition for 7 G VF. 

Theorem 5. Let fc = 3. Then "f €W if and only if C 3 > 1 and ci + C 3 > Ce + 3. 
Proof. Given in Section 5. 

For fc > 4, we obtain the following Theorem 0 on a necessary and sufficient 
condition for 7 G IF. Hereafter let B = {i G V \ Ci = 2}, and let b — [|H|/2J. 
Note that, by Lemma Eta), a trivial necessary condition for 7 G IF is Cfc > 1 and 

fh) > 1- 

Theorem 6 . Let fc > 4, Cfc > 1 and / > 1. Then j G W if and only if 



f 




( 1 ) 



where 



f = f-s, 



( 2 ) 



/ = / - 2e, 



(3) 



h = Ce-Ck + k- f 



(4) 



h~^ = h + €, 



(5) 




0 */ /= 1 ; 

l*/2</<fc-l; 

2 if f = k and Ck-i > Cfc + 1; and 
iif f = k and Ck-i = Ck, 



( 6 ) 
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Fig. 2. The evolution of a key exchange graph and the alteration of a signature. 



and 



( max{min{c2 — h,b},0} if 5 < f < k — 1] 

e = < max{min{c2 — h,b — 1},0} if 5 < f = k and Ce > 1; and (7) 
[ 0 otherwise. 

Proof. Given in Section 6. 

[Remark] Since ci > C2 > • • • > Cfc is assumed, Eq. m is equivalent to 

k 

^ max{ Ci - 0} > / (8) 

i=l 

where the summation is taken over all *, 1 < f < k, although the summation in 
Eq. (0 is taken over all i, 1 < i < /. 

Figure 0a) illustrates Eq. (P) ; the left hand side of Eq. o is equal to the 
number of cards above the dotted line in FigurePa) where the rectangles stacked 
on a player Pi, 1 < i < k, represent the cards of Pfs hand. 

As mentioned in Section 2, the SEP protocol works for 7 = (3, 3, 2, 1; 1), but 
7 does not satisfy the sufficient condition in Lemma P |I3I6| . By the definition of 
/ we have / = /(y) = 3. Since k = 4, we have 2<f = 3 = k— 1, and hence by 
Eq. 0 (5 = 1. By Eq. (0 / = 3—1 = 2, and by Eq. 0 /i = 1 — 1-1-4— 2 = 2. Since 
/ = 3 < 5, by Eq. Q) we have e = 0. Hence by Eq. 0 we have / = 2 — 0 = 2 and 
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by Eq. ® /i+ = 2 + 0 = 2. Therefore J2i=i maxjci — 0} = (3 — 2) + (3 — 2) = 

2 = /. Thus 7 satisfies Eq. o, the necessary and sufficient condition in Theorem 



The following Corollary Q follows from Theorems mini and 13 This corollary 
provides a necessary and sufficient condition for j G W under a natural assump- 
tion that all players have hands of the same size. 

Corollary 7. Let k > 2 and ci = C 2 = ■ ■ ■ = Ck- Then j G W if and only if 



Corollary 0 means that the required size ci of hands is the same for any 
k > 4 when ci = C2 = • • • = Cfc . Note that the total number kci of required cards 
increases when k increases. 

The following Corollary 0 is immediate from Corollary 0 
Corollary 8. Let k >2 and c\ = = ■ ■ ■ = Ck = Ce- Then G W if and only 



4 Malicious Adversary 

In this paper we use a malicious adversary in order to prove Theorem 0 

If a key set protocol works for a signature 7, then the key exchange graph 
must become a spanning tree for any deal C having the signature 7. Hence, 
whoever has the card y contained in the proposed key set K = {x,y}, the 
key exchange graph should become a spanning tree. The malicious adversary 
determines who holds the card y. Considering a malicious adversary to make it 
hard for the key exchange graph to become a spanning tree, we obtain a necessary 
condition for 7 G W. On the other hand, if under some condition on a signature 
7 a key set protocol always forms a spanning tree as the key exchange graph for 
any malicious adversary, then the condition is a sufficient one for 7 G W. 

We use a function A : T x V — >EU{e}to represent a malicious adversary, 
as follows. Remember that T is the set of all signatures and that V is the set 
of indices of all the players remaining in a protocol. Let e be Eve’s index. The 
inputs to the function A(7, s) are the current signature 7 € T and the index 
s gV oi a, proposer Pg chosen in the protocol. Its output is either the index t 
of a player Pt remaining in the protocol or the index e of Eve; A(y, s) = t ^ e 
means that player Pt holds card y, and A(y, s) = e means that Eve holds card 

y- 

From now on, we denote by 7 = (ci, C2, • • • , cy Ce) the current signature, and 
denote by 7(g the resulting signature after executing 



il 
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steps 1-4 under the assumption that Pg proposes a key set K = {x,y} and 

y ^ 

The definition of a malicious adversary A immediately implies the following 
Lemma 0 

Lemma 9. Let k > 3. Then G W if and only if there exists a proposer Pg 
such that € W for any malicious adversary A. That is, 

1 3s G W, 

in other words, 

7 G L Vs 3A G L. 

From now on let A: > 3. If / = 0, then by Lemma Eta) 7 G L. On the 
other hand, if / > 1, then the index s of the proposer Pg chosen by the SFP 
procedure satisfies s = f. Furthermore, by Theorem 0 the SFP protocol works 
for all 7 G W. Thus, if 7 G W, then 7^^ a) malicious adversary A. 

Hence, the following Corolla, rvl I II immediately follows from Theorem 0 

Corollary 10. Let k>S and /(y) > 1. Then 7 G IF if and only if G W 

for any malicious adversary A. That is, 

7 G IT ^ Wl 7(/,^) e W, 

in other words, 

7 G L 3A l[fA) V L. 

It follows from the definition of a key set protocol that if two players Pi and 
Pj hold hands of the same size, that is, Cj = Cj, then 

Wl 7(^.4) G IT ^ Wl 70-.^) e W. 

Hence, if there exist two or more players Pi with Cj = Cg (including the proposer 
Pg), then one may assume without loss of generality that Pg has the largest 
index among all these players. We call it Assumption 1 for convenience sake. 
Furthermore, if Af^, s) = t ^ e and there exist two or more players Pi with 
Ci = Ct and i s (including Pt), then one may assume without loss of generality 
that Pt has the largest index among all these players. We call it Assumption 2 for 
convenience sake. Under the two assumptions above, 7^^ = (c^ , C2, • • • , c'f.,; c(.) 

satisfies c'^ > C2 > • • • > c'j., since 7 satisfies c\> C 2 > ■ ■ ■ > Ck- 

The total size of all the players’ hands decreases by two or more if 

Vl(7, s) = t 7^ e; it decreases by exactly one if A{"f, s) = e. If a key set protocol 
works for 7, then A(^, s) = t ^ e occurs k—1 times until the protocol terminates 
because the key exchange graph becomes a spanning tree having k—1 edges at 
the end of the protocol. Furthermore A{^, s) = e would occur Ce times. Hence, if 
a key set protocol works for 7, then X)i=i > 2(fc — 1) -|- Ce = Ce 3- 2fc — 2. Thus 
we have the following Lemma^Jas a trivial necessary condition for 7 G IT. 

Lemma 11. //y G IT, then Ci > Ce + 2k — 2. 
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5 Proof of Theorem!^ 

In this section we give a proof of Theorem El 

Since Lemma El implies the sufficiency of the condition in Theorem El we 
prove its necessity. That is, we show that if A: = 3 and 7 € VL then C 3 > 1 and 
Cl + C 3 > Ce + 3. In order to prove this, we use the following malicious adversary 

A*: 

r 3 if s = 1; 

= < 1 if s = 2 ; 

[ e if s = 3. 

We first have the following Lemma El 

Lemma 12. Let fc = 3, C 3 > 1 and ci + C 3 < Ce + 2. Then the following (a) or 
(b) holds. 

(a) 7 G L. 

(b) 7 ^j satisfies k' = 3, c'^ > 1 and + Cg < + 2. 

Proof. Let fc = 3, C 3 > 1 and ci + C 3 < Ce + 2. If / = 0, then 7 G L by Lemma 
Ha). Thus one may assume that 1 < / < 3. Then there are the following three 
cases. 

Case 1: / = 1. 

In this case, by LemmaEJb), we have 7 = (ci, 1, 1; Ce) and hence 02 = 03 = I. 
Thus, by Cl + C 3 < Ce + 2 we have ci < Cg + I. Hence X)i=i < (cg + I) + I + I = 
Cg + 2k — 3. Therefore 7 G L by Lemma [Q 

Case 2: / = 2. 

In this case, by Lemma Hb) we have 7 = (ci, C 2 , 1; Cg). Since / = 2, the 
definition of / implies 02 > 2 and Cg > 1. Furthermore, since C 3 = 1 and 
Cl + C 3 < Cg + 2, we have ci < Cg + 1. Since / = 2, let P 2 be a proposer Pg. Since 
A*{"i, s) = 1 for s = 2 , the size of the hand of Pi holding card y decreases by one 
and the proposer P 2 drops out of the protocol, and hence 7 ^^ = (ci — 1, 1; Cg). 

Therefore Cg + C 2 = (ci — 1) + 1 = ci. Since ci < Cg + 1 and Cg = Cg, we have 
c'i + c '2 < Cg + 1. Thus by Theorem 07^'^ G L. Therefore Corollary ITHI implies 
7 G P. 

Case 3: / = 3. 

In this case Cg > I; if Cg = 0, then by C 3 > I and ci + C 3 < Cg + 2 = 2 we 
have Cl = C 2 = C 3 = 1, and hence / = 0, contrary to / = 3. Since / = 3, let 
P3 be a proposer. Since tI*( 7 , s) = e for s = 3, the sizes of the hands of both 
P3 and Eve decrease by one, and hence 7 ^^ = (ci, C2, C3 — 1; Cg — 1), fc' = 3 

and Cg = Cg — 1. Since P3 was feasible, we have Cg = C3 — 1 > 1. Furthermore 
Cl + Cg = Cl + (c 3 — 1) < (cg + 2) — 1 = Cg + 2. Thus (b) holds. I 

Define the size size( 7 ) of a signature 7 as follows: size( 7 ) = Ce + k. 

We are now ready to prove the necessity of the condition in Theorem 0 
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(Proof for the necessity of the condition in Theorem |3) 

Let k = 3. We shall show that if C 3 = 0 or ci -I- C 3 < Ce -I- 2 then 7 S L. 
If C3 = 0, then Lemma Ha) implies 7 C L. Therefore it suffices to prove the 
following claim: if C 3 > 1 and ci -I- C 3 < Ce -b 2 then 7 G L. We prove the claim 
by induction on size(7) = Ce + k. Let C 3 > 1 and ci -b C 3 < Cg -b 2. Since k = 3, 
size(7) > 3. 

First consider the case size(7) = 3. In this case, Cg = 0, and hence ci -b C3 < 
Cg -b 2 = 2. Thus Cl = C2 = C3 = 1, and hence / = 0. Therefore by Lemma |^a) 
7 G L. 

Next let I > 4, and assume inductively that the claim holds when size (7) = 
l-l. 

Consider any signature 7 such that size(7) = 1. By Lemma El the following 
(a) or (b) holds: 

(a) 7 G L; and 

(b) 7^j satisfies A:' = 3, C3 > 1 and c'l -b C3 < Cg -b 2. 

Thus one may assume that (b) holds. Then, since size(7') = size(7) — 1 = ^ — 1, 
by the induction hypothesis we have G L. Therefore Corollary El implies 

j G L. I 

6 Sketchy Proof of Theorem El 

In this section we outline a proof of Theorem 0 

One can easily prove Theorem 0 for the case / = 1 as follows. Let fc > 4, 
Cfe > 1 and / = 1. Then S = e = 0 and hence / = / = / = !. By Lemma |2Jb) 
Cfe = 1 and hence = /i = Cg — 1-bA: — l = Cg-bA: — 2. Thus, Eq. (P) is equivalent 
to maxjci — Cg — fc-b 2, 0} > 1, and hence equivalent to ci > Cg -b A: — 1. Therefore 
Theorem 0 for the case / = 1 immediately follows from the following Lemma 

Lemma 13. Let Cfc > 1 and / = 1. Then ') GW if and only if ci > Ce + k — 1. 

Proof. The sufficiency immediately follows from Lemma0 Therefore it suffices 
to prove the necessity. Let Cfe > 1, / = 1 and 7 G IF. Then by Lemma we 
have Ci > Ce + 2k — 2. On the other hand, since / = 1, by Lemma Efb) 

7 = (ci, 1, 1, • • • ,1; Cg) and hence Ci = ci -b A: — 1. Therefore, ci -b A: — 1 > 

Cg -b 2A; — 2 and hence ci > Cg -b A: — 1. I 

We then sketch a proof of Theorem El for the case 2 < f < k. The detail 
is omitted in this extended abstract. We sketch a proof only for the necessity 
of the condition in Theorem El (One can prove the sufficiency by induction on 
size(7) = Cg -b k.) Let A: > 4, Cfc > 1, 2 < / < A: and 7 G W. Instead of proving 
Eq. (0 we prove the following equation holds: 

/ 

max{ci - /i, 0} > /, 

i=l 



(9) 
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which is obtained from Eq. by replacing / and with / and h, respectively. 



For simplicity, we assume that 6 = 1, i.e. 2 < / < k — 1. (The proof for 
i5 = 2,3 is similar.) Then by Lemma |2Kb) Cfc = 1. Furthermore / = / — 1 and 
h = Ce + k-f. Thus Eq. ® is equivalent to 



We prove the necessity of Eq. m- Let 2 < f < k — 1. Then the signature is 
7 = (ci, C2, • • • , c/, 1, 1, • • • , 1; Ce). That is, there are exactly / feasible players 
Pi, P2, • • • ) -P/j and each of the remaining k — f players P/+i, P/+2, • • • , Pfc has 
exactly one card. The key exchange graph has exactly k isolated vertices before 
starting the protocol, as illustrated in Figure|^a). In Figure^ a white rectangle 
represents a card in players’ hands. The SFP protocol chooses the feasible player 
Pf with the smallest hand as a proposer. Consider a malicious adversary that 
does not choose Eve and always chooses the player with the largest hand as 
Pt with y G Ct- Then Pf and the player Pt with the largest hand share a 
one-bit secret key, the size of Pt’s hand decreases by one, Pf drops out of the 
protocol, and an edge joining two vertices corresponding to these two players is 
added to the key exchange graph, as illustrated in Figure EKb). In the example 
of Figure 0 the size of Pi’s hand decreases by one, Pf discards all her cards 
and drops out of the protocol, and edge (1,/) is added to the key exchange 
graph. In Figure l^b), we lightly shade the rectangle corresponding to the card 
y discarded by Pt = Pi, and darkly shade the rectangles corresponding to the 
cards discarded by Pf who drops out of the protocol. At the next execution of 
steps 1-4, the proposer is Pf-i- By considering the same malicious adversary as 
above, P/-i and the player with the largest hand share a one-bit secret key as 
illustrated in Figure 0(c). In Figure m, since Pi has a hand of the same size 
as P2, by Assumption 2 Pt = P 2 and hence edge (2, / — 1) is added to the key 
exchange graph as illustrated in Figure |2Kc). Repeat such an operation until Pi 
becomes a proposer, i.e. there exists exactly one feasible player as illustrated in 
Figure 0d), and let 7* = (ci,C2,-- - ,c^.;Ce) be the resulting signature. Then 
A:* = fc — / -I- 1, C2 = C3 = • • • = =1, /(7*) = 1, and the size of Eve’s 

hand remains Cg. By Corollary mu we have 7* G W. Therefore, by Lemma ^ 
Cl > Ce + k* — 1 = Ce + k — f = h. The malicious adversary has chosen / — 1 
players Pi in total as Pt so far, and hence there are exactly / — 1 lightly shaded 
rectangles in Figure 0(d). The malicious adversary above implies that such a 
player Pi,l<i</— 1, should have a hand of size greater than h when she was 
chosen by the malicious adversary. Thus there are / — 1 or more rectangles above 
the dotted line in Figure Et a). Therefore we have YllZi max{ci — /i, 0} > / — 1, 
and hence Eq. (EDI holds. 

We have sketched a proof of the necessity of Eq. ( 0 . One can similarly prove 
the necessity of Eq. ( 0 . 



/-I 




( 10 ) 
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7 Conclusion 

In this paper we gave a simple necessary and sufficient condition on signature 
7 = (ci, C2, • • • , Ck',Ce) for the existence of a key set protocol to work for 7. In 
other words we gave a simple complete characterization of the sets W and L. 

Since the SFP protocol works for all 7 G VK (Theorem 01 , one can determine 
whether 7 G kF or not by simulating the SFP protocol for 7. However, it is 
necessary to simulate the protocol for all malicious adversaries, and hence the 
time required by this simulation is exponential in k and such a simulation is 
impractical. Clearly one can determine in time 0 {k) whether our necessary and 
sufficient condition, i.e. Eq. O or ( 0 , holds or not. Thus one can determine in 
time 0 {k) whether 7 G kF or not. 

This paper addresses only the class of key set protocols, and hence it still re- 
mains open to obtain a necessary and sufficient condition for any (not necessarily 
key set) protocol to work for 7 

An Eulerian circuit is more appropriate as a key exchange graph than a 
spanning tree if it is necessary to acknowledge the secure key distribution. We 
have given a protocol to achieve such a key exchange jOj . 
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Abstract. We present a single-database computationally private infor- 
mation retrieval scheme with polylogarithmic communication complex- 
ity. Our construction is based on a new, but reasonable intractability 
assumption, which we call the ^-Hiding Assumption (^HA): essentially 
the difficulty of deciding whether a small prime divides 4>{m), where m 
is a composite integer of unknown factorization. 

Keywords: Integer factorization, Euler’s function, hiding assumption. 
Private information retrieval. 



1 Introduction 

Private information retrieval. The notion of private information retrieval 
(PIR for short) was introduced by Chor, Goldreich, Kushilevitz and Sudan [Zj 
and has already received a lot of attention. The study of PIR is motivated by 
the growing concern about the user’s privacy when querying a large commercial 
database. (The problem was independently studied by Cooper and Birman 0 
to implement an anonymous messaging service for mobile users.) 

Ideally, the PIR problem consists of devising a communication protocol in- 
volving just two parties, the database and the user, each having a secret in- 
put. The database’s secret input is called the data string, an n-bit string B — 
h\b 2 • • ■ bn- The user’s secret input is an integer i between 1 and n. The protocol 
should enable the user to learn bi in a communication-efficient way and at the 
same time hide i from the database. (The trivial and inefficient solution is having 
the database send the entire string B to the user.) 

Information-theoretic PIRs (with database replication). Perhaps sur- 
prisingly, the original paper [Z] shows that the PIR problem is solvable efficiently 
in an information-theoretic setting if the database does not consist of a sin- 
gle player, but of multiple players, each holding the same data string B, who 
can communicate with the user but not with each other (a model reminiscent 
of the multi-prover proof systems of ^). By saying that this model offers an 

* Research done at Laboratory for Computer Science, MIT. 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 4n2- ITm 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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information-theoretic solution, we mean that an individual database player can- 
not learn i at all, no matter how much computation it may perform, as long as 
it does not collude with other database players. 

Several solutions in this model are presented in the paper of Chor et al. For 
example, (1) there are two-database information-theoretic PIRs with 
communication complexity, and (2) there are 0(log n)-database information- 
theoretic PIRs with polylog(n) communication complexity. In subsequent work, 
Ambainis gives a construction for fc-database information-theoretic PIRs with 
Q(j.ji/( 2 fc-i)) communication complexity | 2 |. 

Computational PIRs (with database replication). Notice that the latter 
two information-theoretic PIRs achieve subpolynomial communication complex- 
ity, but require more than a constant number of database servers. Chor and 
Gilboa j^, however, show that it is possible to achieve subpolynomial commu- 
nication complexity with minimal database replication if one requires only com- 
putational privacy of the user input — a theoretically weaker though practically 
sufficient notion. They give a two-database PIR scheme with communication 
complexity 0(n^) for any e > 0. Their system makes use of a security parameter 
k and guarantees that, as long as an individual database performs a polynomial 
(in k) amount of computation and does not collude with the other one, it learns 
nothing about the value i. 

Computational PIRs (without database replication). Though possibly 
viable, the assumption that the database servers are separated and yet mirror the 
same database contents may not be too practical. Fortunately, and again surpris- 
ingly, Kushilevitz and Ostrovsky HB| show that replication is not needed. Under 
a well-known number-theoretic assumption, they prove the existence of a single- 
database computational PIR with subpolynomial communication. More precisely, 
under the quadratic residuosity assumption H3!, they exhibit a CPIR protocol 
between a user and one database with communication complexity 0(n^), for any 
e > 0, where again n represents the length of the data string. (For brevity, we 
refer to such a single-database, computational PIR, as a CPIR.) 

It should be noted that the CPIR of uni has an additional communication 
complexity that is polynomial in the security parameter k, but this additional 
amount of communication is de facto absorbed in the mentioned 0(n®) complex- 
ity, because for all practical purposes k can be chosen quite small. 

This result has raised the question of whether it is possible to construct 
CPIRs with lower communication complexity. 

Main result. We provide a positive answer to the above question based on a 
new but plausible number-theoretic assumption: the <l> Assumption, or d>A for 
short. The <PA consists of two parts, the (/^-Hiding Assumption (<PHA) and the 
<P-Sampling Assumption (<PSA). 

Informally, the ^HA states that it is computationally intractable to decide 
whether a given small prime divides (j)(jn), where m is a composite integer of 
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unknown factorization. (Recall that (f) is Euler’s totient function, and that com- 
puting (f>{m) on input m is as hard as factoring m.) The ^SA states that it 
is possible to efficiently find a random composite m such that a given prime p 
divides 

The is attractively simple and concrete. Finding crisp and plausible as- 
sumptions is an important task in the design and analysis of cryptographic 
protocols, and we believe that the will prove useful in other contexts and 
will attract further study. Based on it we prove the following 



Main Theorem: Under the there is a two-round CPIR whose communica- 
tion complexity is polylogarithmic in n (and polynomial in the security param- 
eter) . 



We note that our CPIR is “essentially optimal” in several ways: 

Communication complexity. Disregarding the privacy of the user input alto- 
gether, in order for the user to obtain the Ah bit of an n-bit data string, at 
least log n bits have to be communicated between the user and the database 
in any case. 

Computational complexity. Our CPIR is also very efficient from a computa- 
tional-complexity point of view. Namely, (1) the user runs in time polyno- 
mial in k log n and (2) the database runs in time proportional to n times a 
polynomial in k. Both properties are close to optimal in our context. The 
user computational complexity is close to optimal because, as already men- 
tioned, in any scheme achieving sub-linear communication, the user must 
send at least log n bits of information, and thus perform at least log n steps 
of computation. The database computational complexity is close to optimal 
because the database must read each bit of its data string in any single- 
database PIR. (Otherwise, it would know that the user cannot possibly have 
received any of the unread bits and therefore gain some information about 
the user input i.) 

Round complexity. The round complexity of our CPIR is essentially optimal 
because, as long as the user can choose his own input i at will in each 
execution, no single-round CPIR exist^. 

Privacy model. Our CPIR achieves computational privacy. Although infor- 
mation-theoretic privacy is stronger, our scheme is optimal among single- 
database PIRs since there are no single-database PIRs with information- 
theoretic privacy (other than sending the entire data string) . 



^ We do not rule out the possibility of single-round CPIRs in alternative models, 
for example, in a model where the user always learns the bit in position i in any 
execution in which the data string has at least i bits. 
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2 Preliminaries and Definitions 

2.1 Notation 

Integers. We denote by N the set of natural numbers. Unless otherwise speci- 
fied, a natural number is presented in its binary expansion whenever given as an 
input to an algorithm. If n £ N, by 1" we denote the unary expansion of n, that 
is, the concatenation of n I’s. If a, 6 £ N, we denote that a evenly divides b by 
writing a\b. Let be the ring of integers modulo m and its multiplicative 
group. The Euler totient function of an integer to, denoted by </>(to), is defined 
as the number of positive integers < to that are relatively prime to to. 

Strings. If a and r are binary strings, we denote cr’s length by \a\, tr’s ith bit 
by (Ti, and the concatenation of a and r by cr o r. 

Computation models. By an algorithm we mean a (probabilistic) Turing ma- 
chine. By saying that an algorithm is efficient we mean that, for at most but 
an exponentially small fraction of its random tapes, it runs in fixed polynomial 
time. By a k-gate circuit we mean a finite function computable by an acyclic 
circuitry with k Boolean gates, where each gate is either a NOT-gate (with one 
input and one output) or an AND gate (with two binary inputs and one binary 
output). 

Probability spaces. (Taken from [S| and PI .) If A(-) is an algorithm, then 
for any input x, the notation “A(x)” refers to the probability space that assigns 
to the string cr the probability that A, on input x, outputs cr. 

If S' is a probability space, then “x <— S” denotes the algorithm which assigns 
to X an element randomly selected according to S. If F is a finite set, then 
the notation “x F” denotes the algorithm which assigns to x an element 
selected according to the probability space whose sample space is F and uniform 
probability distribution on the sample points. 

If p(-, •, • • • ) is a predicate, the notation 

PROB[x^ S;y^T;--- : p{x,y,---)] 

denotes the probability that p{x,y,- ■ ■) will be true after the ordered execution 
of the algorithms x ^ S, y ^ T, ■ ■ ■ . 

2.2 Fully Polylogarithmic CPIR 

Our proposed CPIR works in only two rounds and achieves both polylogarithmic 
communication complexity and polylogarithmic user computational complexity. 
For the sake of simplicity, we formalize only such types of CPIRs below. 

Definition: Let D(-,-,-), and R{-, be efficient algorithms. We 

say that (D,Q,R) is a, fully polylogarithmic computationally private information 
retrieval scheme (or polylog CPIR for short) if there exist constants a,b,c,d > 0 
such that. 
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1. (Correctness) Vn, V n-bit strings B, Vi G [l,n], and Vfc, 

PROB[{q, s) ^ Q{n, i, ; r D{B, q, l'=) : R{n, i, {q, s), r, = Bi] 

> 1 _ 2 "“'= 

2. (Privacy) Vn, Vi,j G [l,n], Vfc such that 2^ > n^, and V 2‘^^-gate circuits A, 

\PROB[{q,s) : A{n,q,l’^) = l] ~ 

PROB[{q,s) ^ Q{n,j,l'') ■■ A{n,q,l'^) = 1]\ < 

We call a, b, c, and d the fundamental constants (of the CPIR); B the data 
string; D the database algorithm; the pair (Q, R) the user algorithm; Q the 
query generator; R the response retriever; q the query; s the secret (associated 
to q); r the response; and k the security parameter. (Intuitively, query q contains 
user input i, and response r contains database bit bi, but both contents are 
unintelligible without secret s.) 

Remarks. 

1. Our correctness constraint slightly generalizes the one of m Whereas there 
correctness is required to hold with probability 1, we require it to hold with 
very high probability. 

2. As mentioned above, the communication complexity of our CPIR is polylog- 
arithmic in n (the length of the data string) times a polynomial in k (the 
security parameter). Because k is an independent parameter, it is of course 
possible to choose it so large that the polynomial dependence on k dominates 
over the poly logarithmic dependence on n. But choosing k is an overkill since 
our definition guarantees “an exponential amount of privacy” also when k is 
only poly logarithmic in n. 



2.3 Number Theory 

Some useful sets. Let us define the sets we need in our assumptions and 
constructions. 

Definition: We denote by PRIMESa the set of the primes of length a, and by 
Ha the set of the composite integers that are product of two primes of length a. 
(For a large, Ha contains the hardest inputs to any known factoring algorithm.) 

We say that a composite integer m cf-hides a prime p if p\4>{m). Denote by 
H^{m) the set of 6-bit primes p that are (/>-hidden by m, denote by H^{m) the set 
PRIMESb — H^{m), and denote by H^ the set of those m G Ha (i.e., products 
of two a-bit primes) that ^hide a 6-bit prime. 

Some USEEUL facts. Let us state without proof some basic or well-known 
number-theoretic facts used in constructing our CPIR. 
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Fact 1: There exists an efficient algorithm that on input a outputs a random 
prime in PRIMESa- 

Fact 2: There exists an efficient algorithm that on input a outputs a random 
element of Ha- 

Fact 3: There exists an efficient algorithm that, on input a 6-bit prime p and 
an integer m together with its integer factorization, outputs whether or not 
p G 

Fact 4: There exists an efficient algorithm that, on inputs x, p, m, and m’s 
integer factorization, outputs whether or not x has a pth root mod m. 

Our assumptions. 

The Assumption {'PA): 

3e, f,g,h>0 such that 

• (^-Hiding Assumption (<?HA): \/k > h and V 2®^-gate circuits C, 

PROB[m ^ Hlf ; po H’^{m) ; pi ^ H’^{m) ; 

6^{0,l}:C(m,pfc)=6] < ^ + 

• (^-Sampling Assumption (^SA): Vk > h, there exists a sampling algo- 

rithm S{-) such that for all fc-bit primes p, S{p) outputs a random k-^-hit 
number m G H^j that c/)-hides p, together with m’s integer factorization. 

We refer to e,f,g, and h as the first, second, third, and fourth fundamental 
constant of the PA, respectively. 

Remarks. 

1. Revealing a large prime dividing (f{m) may compromise m’s factorization. 
Namely, if p is a prime > and p\4>{m), then one can efficiently factor 

m on inputs m and p nmnEi. Consequently, it is easy to decide whether 
p divides (f>{m) whenever p > m^/^. But nothing similar is known when p is 
much smaller, and for the ^HA, it suffices that deciding whether p divides 
(f{m) is hard when p is not just a constant fraction shorter than m, but 
polynomially shorter. 

We further note that if the complexity of factoring is I7(2*°s’” ) for some 
constant c between 0 and 1, then revealing a prime p dividing (f{m) cannot 
possibly compromise m’s factorization significantly if logp is significantly 
smaller than (logm)'^. Indeed, since p can be represented using at most logp 
bits, revealing p cannot contribute more than a speed-up of pc p for 

factoring m. 

Note that the ^HA does not hold for p = 3. If m = Q 1 Q 2 and m = 2 
(mod 3), then one can tell that one of Qi and Q 2 is congruent to 1 mod 3 
and the other is 2 mod 3. In this case, it’s obvious that 3 divides (j){m) = 
{Qi — I)(Q2 — !)• 
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2. The 'PSA is weaker than the well-known and widely accepted Extended Rie- 
mann Hypothesis (ERH). Consider the following algorithm S{-): 

Inputs: a A:-bit prime p. 

Output: a fc-^-bit integer m € H^f that (/)-hides p and its integer factoriza- 
tion. 

Code for S{p): 

(a) Repeatedly choose a random {k^ — k)-hit integer qi until Qi = pqi + 1 
is a prime. 

(b) Choose a random k^-hit prime Q 2 ■ 

(c) Let TO <— Qi • Q 2 and return m and {Qi,Q 2 )- 

Under the ERH, algorithm S finds a suitable m in expected polynomial time 
in y (see Exercise 30 in Chapter 8 of 0). 

3 Our CPIR 

3.1 The High-Level Design 

At a very high level, the user’s query consists of a compact program that contains 
the user input i in a hidden way. The database runs this program on its data 
string, and the result of this computation is its response r. 

A bit more specifically, this compact program is actually run on the data 
string in a bit-by-bit fashion. Letting B be the data string, the user sends the 
database an algorithm A and a fc-bit value xq (where k is the security parameter), 
and the database computes a sequence of fc-bit values: X\ = A(a;o,Ri), X 2 = 
A{x\, B 2 ), . ■ . , Xn = A{xn-i, Bn). The last value Xn is the response r. The user 
retrieves Bi by evaluating on Xn a predicate Ri, which is hard to guess without 
the secret key of the user. 

This high-level design works essentially because the predicate Ri further en- 
joys the following properties relative to the sequence of values xq, . . . , 

1 . Ri{xo) = 0 ; 

2. Vj = 1, . . . - 1, R^ixj) = 0; 

3. Ri{xi) = 1 if and only if Bi = 1; and 

4. Vj > z, Ri{xj+i) = 1 if and only if Ri{xj) = 1. 

It follows by induction that Ri{xn) = 1 if and only if = 1. 

3.2 The Implementation 

To specify our polylog CPIR we must give a database algorithm D and user 
algorithms Q (query generator) and R (response retriever). These algorithms 
use two common efficient subroutines T and P that we describe first. Algorithm 
T could be any probabilistic primality test |17I1 bj - but we let it be a primality 
prover so as to gain some advantage in the notation and presentation (at 

the expense of running time) . 
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Basic inputs. 

A number n S N; an n-bit sequence B; an integer i € [1, n]; and a unary security 
parameter such that k > (logn)^. 

Primality prover T(-). 

Input: an integer z (in binary). 

Output: 1 if z is prime, and 0 if z is composite. 

Code for T{z): See Q. 

Prime(-Sequence) generator 

Inputs: an integer a G [1, n]; a sequence of /c-bit strings Y = (yo, ■ ■ • , Uk^-i)] 
and 1^=. 

Output: a /c-bit integer pa (a prime with overwhelming probability) . 

Because P is deterministic, for Y and k fixed, it generates a sequence of 
(probable) primes pi, ... ,pn with a = 1, . . . , n. 

Code for P{a, Y, 1^): 

1. J ^ 0. ^ 

2. aaj <— a o i, where a is the (logn)-bit representation of a and j the 
{k — logn^-bit representation of j. 

3- Zj ^ ^ where all strings yi and aaj are interpreted as ele- 

ments of GF{2^) and the operations are in GF{2f). 

4. If T{zj) = 1 or j = then return pa Zj and halt; else, j <— j -1-1 

and go to step 2. 

Query generator 
Inputs: n; an integer i G [l,n]; and 1^. 

Outputs: a query q = (to, x, Y) and a secret s, where to is a fc^-bit composite 
(/ being the second constant of the d>A), x £ Y a fc^-long sequence of 
fc-bit strings, and where s consists of to’s prime factorization. 

Code for Q{n, z, 1^).' 

1. Randomly and independently choose yo, . . . ,yk3-\ G {0,1}^ and let Y = 

{yo, ■ ■ ■ ,2/fe3-i)- 

2. p,^ P{i,Y,l^)- 

3. Choose a random fc-^-bit integer to that ((>-hides pi = P{i, Y, 1^) and let 
s be its integer factorization. 

4. Choose a random x G 

5. Output the query q = (rn,x,Y) and the secret s. 

Database algorithm D(-, •, •). 

Inputs: B; q= {m,x,Y), a query output by Q{n,i, 1^); and 1^. 

Output: r G 
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Code for D{B, q, 1^) ; 

1. Xq ^ X. 

2. For j = 1, . . . ,n, compute: 

(a) pj ^ PU,Y,1'^). 

(b) ej^pf. 

(c) Xj ^ mod m. 

3. Output the response r = 

Response retriever i?(-, •, •, •, •): 

Inputs: n; z; (m, x,V), s), an output of Q(n,i,l^)j f output of 

D{B, (m,x,Y),l’^); and 1^. 

Output: a bit b. (With overwhelming probability, b = Bi.) 

Code for i?(n, z, (g, s), r, 1^); If r has pith roots mod m, then output 1, else 
output 0. 



Theorem: Under the <PA, {D, Q, R) is a polylog CPIR. 

3.3 Proof of the Theorem 

Running time (sketch). Subroutine P is efficient because (on inputs z, Y, 
and 1^) its most intensive operation consists, for at most times, of evaluating 
once a k-degree polynomial over GF{2^) and running the primality prover T. 
Algorithm Q is efficient because subroutines P and T are efficient, because pi 
is a fc-bit prime with overwhelming probability, and because, under the <PSA, 
selecting a random 2/c-^-bit composite € Hy ^hiding pi is efficient. (Notice that, 
because n and z are presented in binary, Q actually runs in time polylogarithmic 
in n.) Algorithm D is efficient because it performs essentially one exponentiation 
mod m for each bit of the data string (and thus runs in time polynomial in k 
and linear in n) . Algorithm R is efficient because of Fact 4 and because it has 
to’s factorization (the secret s) available as an input, (i? actually runs in time 
polynomial in k because m’s length is polynomial in A:.) 

Correctness (sketch). Let us start with a quick and dirty analysis of the 
prime-sequence generator P. Because the elements of Y are randomly and inde- 
pendently selected, in every execution of P{a, Y, 1^), the values zq, . . . , Z 2 k-iogn 
are fc^-wise independent. Thus with probability lower bounded by 1 — 2®^“^ \ 
at least one of them is prime, and thus Pa is prime. Because the length n of the 
data string satisfies zz^ < 2^, with probability exponentially (in k) close to 1, all 
possible outputs pi, ■ ■ . ,Pn are primes. Actually, with probability exponentially 
(in k) close to 1 , pi, . . . ,pn consists of random and distinct primes of length k. 
Observe that the k^-hit modulus m can <^hide at most a constant number of 
primes from a set of randomly chosen /c-bit primes except with exponentially (in 
k) small probability. Thus, with probability still exponentially (in k) close to 1, 
Pi will be the only prime in our sequence to divide 4>(m). 
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In sum, because it suffices for correctness to hold with exponentially (in k) 
high probability, we might as well assume that, in every execution of Q{n, i, 1^), 
Pi,... ,pn are indeed random, distinct primes of length k, such that only pi 
divides (j){m). Let Ri be the following predicate on 

^ . 1 1 if a; has a p^th root mod m 

Ri{x) = < 

I 0 otherwise. 

The user retrieves bi by evaluating It is easy to check that properties 

1-4 of our high-level design hold as promised: 

1 . Ri{xo) = 0 . 

This property follows from the fact that the function x x^^ mod m on 
is 1-to-l if pj is relatively prime to and at least p^-to-l otherwise. 

Because pi is in 0(2^) except with exponentially (in k) small probability, 
the probability that a random element of has a Pith root mod m is also 
exponentially small (in k). Thus we might as well assume that Xg has no 
Pith roots mod m (remember that correctness should hold only most of the 
time)0 

2. Vj = 1, . . . ,i — 1, Ri(xj) = 0. 

This follows because xq has no Pith roots mod m and because if x has no 
Pith roots mod to, for all primes p not dividing (/)(m) also x^ has no Pith 
roots mod to. Again because of the size of the primes pj for j ^ i, one can 
show that except with exponentially small (in k) probability, none of the pj 
divides 4>(rn). 

3. Ri{xi) = 1 if and only if Bi = 1. 

If Bi = 0, then Xi = Xi-i. Thus, by property 2 above, Xi has no pith roots 
mod TO. If Bi = I, then Xi = mod to. Thus, Xi has pith roots mod to 
by construction. 

4. Vj > i, Ri{xj+i) = 1 if and only if Ri{xj) = 1. 

The “if part” follows from the fact that if Xj has pith roots mod to, then 
there exists a y such that Xj = yP* mod to and therefore also Xj+i = x^^ = 
yPiPj — {yPiyi mod TO has pith roots. For the “only-if part,” see the proof 
of property 2 above. 

Privacy (sketch). Suppose for contradiction that the privacy condition does 
not hold for {D,Q,R). Then for all b,c,d > 0, there exist n, indices i and j 
{i yf j), k > logn^, and a 2^^-gate circuit A (with binary output) such that 

|ai — 02 ! > e 

for some e > where 

ai = PROB [((to, X, P), s) Q{n, i, 1^) : A(n, (to, x, Y), 1^) = l] , 

02 = PROB[((m, X, P), s) Q{n,j, 1^) : A{n, (to, x, T), 1^) = l] . 

^ We choose xo at random rather than ensuring that it has no pith roots mod m to 
facilitate proving the privacy constraint. 
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(Intuitively, A’s advantage e is always bigger than any exponentially small in k 
quantity.) Define now the following probability: 

f3= PROB[m^ H^f ; Y ^ : I(n, (to, x, F), l'=) = l] . 

(Notice that, in the sequence of experiments defining /?, Y still defines a prime 
Pi and a prime pj with overwhelming probability, but there is no guarantee that 
TO ((chides either of them.) It follows either \a\ — (i\ > e/2 or \a 2 — P\ > e/2. 
W.l.o.g. assume \a\ — (i\> e/2 and also a\ — (} > e/2. 

We can construct a guessing circuit C = Cn,i to contradict the ^HA as 
follows. 

Guessing circuit C'„,i(-,-). 

Inputs: a number to G and a /c-bit prime p. 

Output: a bit b (indicating whether m (/-hides p). 

Code for Cn,i{m,p): 

1. Choose kf’ uniformly random fc-bit numbers oi, . . . , 

2. Run primality prover T on aj for j = 1, . . . , and let j' be the smallest 
j for which T{aj) = 1. If T returns 0 for all aj, then j' ^ k^. 

3. Use Lagrange interpolation to find the coefficients yg, , pks-i of a poly- 
nomial f{a) over GF{2^) with degree k^ — 1 such that ^{(Jij) = aj for 
j = 1, . . . , j' — 1, / -I- 1, . . . , and f{<Jij') = p, where cr^ G GF{2^) 
corresponds to the fc-bit string i o j as in the prime-sequence generator 
P. Let F = (yo, ■ • ■ ,2/fe3-i)- 

4. Choose X at random from Z)), and run A{n, (to, x, F), 1^). If A returns 0, 
then return I, otherwise (if A returns 1), then return 0. 

Notice that C can be constructed with a number of gates that is at most poly- 
nomially (in fc) greater than the number of gates of A. 

Above we have defined how C operates for any to G and any p G 

PRIM ESk. Let us now analyze C’s behavior on the input distribution required 
by the ^HA (i.e., when to H^f and p H^{rn) with probability 1/2 and 
p ^ H^{m) with probability 1/2) and calculate the probability that C guesses 
correctly from which distribution p is drawn. 

PROB[C correct] = ^ • PROB[C correctjp H^{m)\ 

+ i • PROB[C correctjp ^ H^{rn)\ 

= i • PROB[C = 0\p ^ 

+ i • PROB[C = l\p ^ 

The distribution of the output of C depends directly on A. If p 
then, by construction, A is run with the same input distribution as in the def- 
inition of «i, except for the case that C finds no prime among ai,...,afe3 in 
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step 2 (assume this is not the case for the moment). Let us examine A’s input 
distribution in C when p H^{m) and compare it to A’s input distribution in 
the definition of (3. The experiment leading to (3 contains three distinct cases for 

p, = 

1. Pi is composite; 

2. Pi G or 

3. Pi G 

Note that case 3 is actually how A is called by our C in the ^HA and occurs 
with overwhelming probability. Let 6q be the probability of case 1, which will be 
computed below, and assume for the moment that pi is indeed a random fc-bit 
prime. The probability <5i that a random element of PRIMES k is in H^{m) is 
upper bounded by k^2~^ = 0(2“^/^). (This is the conditional probability of 
case 2 above given that pi is prime.) For C, this implies 

PROB[C =l\p^ PRIMES k] < PROB[C = l\p ^ ij'=(m)] + <5i. 

Now consider the case that no prime is detected among ai, . . . ,0^3 in step 2. 
Because T is an ideal primality prover, this probability is at most about (1 — ^)^ 
and therefore Sq = 0(2“^/^). 

We can now bound PROB[C correct] as 

PROB[C correct] > i • (1 — i5o) • PROB[C = Ojp iJ^(m)] 

+ ^ • (1 - <5o) • {PROB[C = l\p ^ PRIMESk] - <5i) 

> - • (1 — i5o) • oi + - • (1 — (5o) • (1 — /? — (5i) 

> -■ (l + ai — So — P — 6 q — (5i) 




The last inequality follows from the assumption ai — P > e(2. 

To conclude, C distinguishes correctly with probability at least 




Intuitively, since i5i and <5 q are exponentially small in k, but e exceeds any ex- 
ponentially small quantity, there remains an advantage for C that is not expo- 
nentially small and it is clear that C violates the <PilA. ■ 
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Abstract. We examine the concurrent composition of zero-knowledge 
proofs. By concurrent composition, we indicate a single prover that is 
involved in multiple, simultaneous zero-knowledge proofs with one or 
multiple verifiers. Under this type of composition it is believed that stan- 
dard zero-knowledge protocols are no longer zero-knowledge. We show 
that, modulo certain complexity assumptions, any statement in NP has 
fc'-round proofs and arguments in which one can efficiently simulate any 
concurrent executions of the protocol. 

Key Words: Asynchronous Attacks, Zero Knowledge, Black-box Simu- 
lation. 



1 Introduction 

Zero-knowledge proofs CD and arguments Q are interactive protocols between 
a prover (or arguer), P, and a verifier, V , which informally yield no knowledge 
except for the validity of the assertion. The original formal definition of zero- 
knowledge considered a very minimal context, and almost immediately, unex- 
pected problems emerged when attempting to apply the notion of zero-knowledge 
to more practical contexts; the notion of zero-knowledge has been refined accord- 
ingly. For example, to make zero-knowledge closed under sequential composition, 
a number of researchers imm) have proposed a modified definition, known 
as auxiliary zero-knowledge. A still cleaner model, motivated by these issue, is 
that of hlack-hox simulation zero-knowledge CD; all of the results we will discuss 
are for this model. 

In practice, it is often desirable to run a zero-knowledge proof many times 
in parallel, so as to lower the error probability without increasing the round 
complexity. Unfortunately, it is not clear how to efficiently simulate an arbi- 
trary zero-knowledge proof in parallel in polynomial time. Indeed, Goldreich and 
Krawczyk m have shown that for any language L outside of BPP, there is no 
3-message protocol for L whose parallel execution can be simulated in black-box 
zero-knowledge. In their model, the verifier has oracle access to a truly random 
function; given the existence of cryptographically secure pseudorandom gener- 
ators, the oracle can be reduced to simply a private string. However, based on 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 415- BTn 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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reasonable computational assumptions, there exist constant-message (indeed, 4 
messages suffice) interactive proofs and arguments whose parallel versions re- 
main black-box simulatable. 



1.1 Concurrent Repetition 

Parallel repetition combines many versions of the same protocol in lock step. 
When V is supposed to send its ith message, it must send the ith message for all 
of the parallel runs of the interactive proof. It cannot, for example, delay sending 
the first message from Game 2 until it has seen the first response in Game 5. 

However, in practice, one may wish to engage in many proofs simultaneously 
and concurrently. For example, one may conceivably give a zero-knowledge proof 
to establish ones identity whenever one accesses an internet-based service. Differ- 
ent processes may access a number of different services, with no synchronization. 
This scenario allows for an attack in which a verifier engages in many proofs 
with the prover, and arbitrarily interleaves the messages in these protocols. In- 
tuitively, the verifier can run some of the protocols ahead in an attempt to gain 
information that will enable it to attack some of the other protocols. 

Beth and Desmedt |5] first discussed such concurrent attacks in the context 
of identification protocols, and show how to defend against such attacks if parties 
have precisely synchronized clocks and the adversary is forced to delay its actions. 

Dwork, Naor and Sahai 0 consider the role of concurrent attacks on zero- 
knowledge protocols. They give 4-round zero-knowledge protocols for NF, as- 
suming a weak constraints on the synchrony of weak players: there exist a pair 
{a, (3), where a < /3, such that when a good player has observed the passage of f3 
units of time, then every other good player has observed the passage of at least 
a units of time. Dwork and Sahai [Z] reduce (but do not eliminate) the timing 
constraints required by their defense. 

A natural question is defend against arbitrary scheduling without any use 
of timing. A negative result by Kilian, Petrank and Rackoff extends the 
Goldreich-Krawczyk result to concurrent attacks, for essentially the same model. 
They show that for any 4-message proof system for a language L, if one can 
black-box simulate polynomially many asynchronous proofs, then L G BPP. 



1.2 Our Model 

Following p], we consider a malicious verifier V that is allowed to run up to k 
interactive proofs with the prover P, where fc is a free parameter. For our results, 
k may be replaced with k^^^\ Within each proof, V must follow the proper order 
of the steps, but may arbitrarily interleave steps between different proofs. For 
example, V may execute the first step of Proof 1, then execute all of Proof 2 in 
order to obtain an advantage when it executes the second step of Proof 1. 

For a given, presumably malicious verifier, V, the simulator is given access 
to V, but not to the details of its internal state. It is allowed to run V, receiving 
“requests” for different proofs, and send V responses for these proofs. We assume 
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without loss of generality that V waits for the response before continuing (it 
never hurts to receive as much information as possible from the prover before 
sending one’s next message). V is allowed to schedule k proofs arbitrarily, subject 
to the constraint that within each proof the steps are properly ordered. 

Following the standard notion of black-box simulatability, the simulator S is 
allowed to save K’s state and rewind V back to a previously saved state. For ease 
of explication, we do not explicitly state when S is saving K’s state, but speak 
only in terms of rewinding (S may save K’s state after every message). Without 
loss of generality, we assume that V’s state includes all of the messages sent 
to it, though when restored to a previously saved state, no messages are sent 
since the state was saved are remembered (i.e., we use the reasonable notion 
of K’s “memory”). Given K’s initial state, S’s interaction with V induces a 
distribution on K’s final state. S’s goal is for this distribution to be statistically 
or computationally indistinguishable from the distribution on K’s final state 
after interacting with P. 

Note that in our modeling of the adversary, we are considering ordering at- 
tacks, but not timing attacks m in which one uses the actual response time from 
the prover to obtain information. There are implementation-specific defenses to 
such attacks m-, these methods and concerns are orthogonal to our own. 

Similarly, we assume that while the verifier can delay a given message M so 
that other messages are received before M, it cannot delay M so as to make it 
unclear whether M is actually going to arrive. That is, the prover and simulator 
can at some point know that no further messages are arriving. Without this 
stipulation, even a single execution of most protocols seem impossible to simu- 
late: a malicious verifier V might with probability wait for time-steps 

before giving its next answer, where C is either oo or a large constant unknown 
to S. This attack forces S to either keep on waiting or risk giving a slightly (but 
non-negligibly) distorted simulation. 



1.3 Results of This Paper 

For ease of exposition, we assume the existence of a certain publicly agreed upon 
bit commitment schemes, both from the prover to the verifier and from the ver- 
ifier to the prover. We use an unconditionally binding, computationally private 
bit commitment scheme from the prover to the verifier. We use a computation- 
ally binding, unconditionally private bit commitment scheme from the verifier 
to the prover. The former can be based on one way functions mni, and the 
latter can be based on collision-resistant hash functions 0. 

Our main result is a transformation on zero-knowledge protocols for state- 
ments in NP. Our transformed protocol for a statement T (or a proof of knowl- 
edge) has two parts: an 0(m)-message preamble, for some parameter m and a 
main body. The main body consists of a zero-knowledge proof of knowledge for 
a witness to a statement T', which is a modified version of T. A witness for T is 
also a witness for T'. The longer the preamble, the more resistant the resulting 
argument is to concurrent attacks. 
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Theorem 1. Assume the existence of the commitment schemes described above, 
and a proof system or argument for T S NP as described above. Let e be an 
arbitrary positive constant and let m = P . The transformed protocol remains a 
proof of knowledge for T. Furthermore, there exists a polynomial-time black-box 
simulation for any concurrent attack using at most k^^^^ versions of the proof. 
This simulation achieves computational indistinguishability. 

As we mention in Section 01 there is no need for a public bit-commitment 
scheme; this convention simply drops some easily handled cases from our simu- 
lation and proof. 

Quite recently, Rafail Ostrovsky and Giovanni Di Crescenzo have proposed a 
different solution for defeating concurrent attacks without out timing (iH^ . Their 
solution requires a round complexity that is greater than m, an a priori upper 
bound on the number of attacker; hence, m must be known and bounded in 
advance. In our solution, m = P is possible, and more to the point m need not 
really be known in advance, though the larger m is, the longer the simulation 
takes. However, the result in m uses no additional complexity assumptions, 
and is thus an incomparable result. 



1.4 Techniques Used 

We use a technique of Feige, Lapidot and Shamir |B| in order to convert wit- 
ness indistinguishable protocols into zero-knowledge protocols. Instead of prov- 
ing Theorem T, the prover proves a technically weaker theorem, T V W, where 
W is a statement that will fail to hold (or for which the prover will fail to have 
a witness of) with extremely high probability. However, in the simulation, S 
obtains a witness for W, and may then act as an ordinary prover. Similarly, we 
set up our proof system so that the simulator will have a “cheating” witness to 
the statement being proven. 



Discussion Indeed, at first glance it may appear that the method from P) 
can be used unchanged. Recall that in the scenario of |E], the world begins 
with an agreement on a pseudorandom generator g : {0, 1}^ ^ {0, 1}^^ and the 
generation of a random string R G {0,1}^^ (for £ suitably large). Then, any 
proof of T is replaced with a proof that T is true or g~^{R) exists. To simulate 
the world from its creation, the simulator S generates g and R = g{Q) for a 
random Q G {0, 1}^. Then S has a witness, (Q), for any statement of the form 
“T or g~^(R) exists.” By an appeal to the witness indistinguishability of the 
underlying zero-knowledge proof, S is indistinguishable from any other prover 
for this statement, despite the fact that its witness is quite different than that 
used by an actual prover. 

Space precluded a detailed discussion, but we note that our construction gives 
a simulatability result that is more “standard” in the zero-knowledge framework. 
Also, we do not need a common string, guaranteed to be random. Although we, 
for ease of exposition, assume that a suitable bit commitment scheme has been 
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standardized, we can relax this assumption with only a trivial change to the 
protocol and no substantive change to the simulator and its proof. On a high 
level, our methods don’t try to “break” or alter the commitment scheme in any 
way, and thus this scheme can be decided on at the beginning of the protocol. 



1.5 Guide to the Rest of the Paper 

In Section 0 we describe our transformation and how to simulate it. In Section 0 
we analyze the efficiency and efficacy of our simulator. In 0 we discuss some 
simple extensions of our technique, and some open questions. 



2 Transforming the Protocol 
2.1 The Protocol 

Let T be the statement that P is attempting to prove. We insert an 0{m) mes- 
sage preamble to the proof. Instead of simply giving a proof of T, P and V will 
each randomly choose and commit to m numbers, pi,P 2 , ■■■Pm and V\,V 2 , ■■■Vm 
respectively. P will then prove that either T is true or that for some i pi = Vi. 

P : Commit to vi, f 2 ,... Vm 

V : Commit to pi 

P : Reveal vi 

V : Commit to p 2 

P : Reveal Vi 

V : Commit to pi+i 

P : Reveal Vm 

V : Zero-Knowledge Proof that (3f s.t. Vi = pt) V {T is true) 

The protocol begins with to -I- 1 message exchanges. First V sends P a commit- 
ment to uniformly chosen vi,. . . ,Vm S {0, 1}'^, for some suitably large q. For 
simplicity, we assume that this commitment is information-theoretically secure. 
P responds by sending a commitment to pi. In exchange i + 1, for I < f < to, 
V reveals Vi and P commits to Pi+i. Finally, V reveals Vm^ At the conclusion 
of these exchanges, P responds by giving a zero-knowledge proof that either T 
is true or that for some i pi = Vi. In the argument model, P gives a statistical 
zero-knowledge proof that it knows either: 

— a witness for T, or 

— a witness for a pair (i, reveal) such that on seeing reveal in the revelation 
of Pi, V would accept that pi = Vi. 



V 
P 

V 
p 

V 
p 

V 



p^ 
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Note that P doesn’t reveal which witness it knows, just that it knows one or the 
other. The general protocols of m and P may be used for this step (conceivably, 
more efficient protocols may be designed for useful special cases) . The details of 
this interactive proof (argument) are unimportant. 

There are two ways in which P may cause V to accept. Either it proves that 
T is true or it takes the “easy option” by showing that some pi = Vi. However, 
regardless of a (possibly malicious) prover P’s strategy, the easy option will 
be available with probability at most by setting q sufficiently large, this 

option occurs with negligible probability. Hence, the protocol remains a proof 
(of knowledge) of T. 

2.2 Why We Can Simulate the Proof 

Since there is so little chance of guessing Vi, P's strategy is to choose pi at 
random, or 0'^, and simply proceed with the proof of T. Thus, for the correct 
prover, the preamble is irrelevant and for a malicious prover, the preamble is not 
useful. However, the simulator, S, can use the preamble to its advantage. After 
seeing Vi, it can rewind the conversation to the point where it is required to send 
Pi, and choose pi = Vi. Because V committed to these Vi in the first message, S 
need not worry that the Vi change after the rewind as long as it doesn’t rewind 
past the first message of the proof (which it might do while simulating a different 
proof). 

Once S has ensured that for some i pi = Vi, we say it has solved the pro- 
tocol. It can complete the rest of the simulation (of this proof) without any 
further rewinding. When the actual proof begins, S has an actual witness to the 
statement being proved, and can therefore proceed according to the algorithm 
used by the actual prover. Appealing to the witness indistinguishability of the 
zero-knowledge proof, it is impossible to distinguish whether S used this witness 
or a witness for T. 

2.3 Caveates 

We mention three (of many) caveats regarding this approach. First, rewinding 
a single step in one proof can render irrelevant the simulations of many other 
proofs; nesting effects can cause exponential blowups in the simulation (as dis- 
cussed in |0|). However, since S has m places it can rewind in order to fix a 
proof’s simulation, it can choose good times to rewind. 

Second, an improper use of rewinding can alter the distribution on the ver- 
ifiers’ questions, rendering the simulation invalid. Our simulation runs in two 
modes: normal and look-ahead. The normal mode is a step by step simulation 
of the k concurrent proofs. A step made in a normal proof is never rewound, 
facilitating the analysis of the distribution of the verifiers’ messages. The look- 
ahead mode is invoked when the simulator, running in normal mode, is required 
to commit to pi to the verifier, for one of the simulated proofs. In look-ahead 
mode, the simulator will explore many possible simulation paths and return 
with either the value of Vi, allowing S to solve this proof, or a statement that 
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this is an unsuitable time to solve the proof. Once the look-ahead is complete, 
the simulator continues the normal-mode simulation. We show that S can use 
the information obtained in its look-ahead mode yet still maintain a faithful 
simulation. 

We must also take care to avoid malleability attacks 0, where one links 
a commitment to the value of another parties commitment. For example, the 
prover might try to commit to the verifier’s value, always achieving a match, or 
the verifier might try to foil the simulation by somehow opening up values differ- 
ent than those committed by the prover. Our assymetric choice of commitment 
protocols prevents these attacks. 



2.4 Preliminaries 

Let Vij and pij denote the values of Vi and pi committed to in the simulation of 
the jth proof. These values depend greatly on where we are in the simulation. 
In particular, they may be defined and then undefined when S rewinds the 
simulation. 

Within a simulation path, we number the protocols in order of appearance. 
Thus, orderings may differ between different paths, but this will not affect our 
analysis. 

During the preamble of a simulated protocol j, the verifier commits to m 
strings, v\j, . . . By a standard argument, the probability that Vij is suc- 

cessfully revealed to be different values at different times after being committed 
to is negligible. Thus, we’ll speak of the “value” of Vij. However, if the simula- 
tor rewinds past the point where the verifier committed to vij, . . . these 

values become undefined. 

At some point in the protocol, the simulated verifier will send a string that is 
supposed to reveal vij. This string will either actually reveal this unique value 
or fail to reveal any value. Note that in the actual protocol, P aborts in the 
latter case. 

During a path in the simulation, we say that a simulated protocol j is solved 
if, for some i, Vij has been determined and pij has not yet been sent. We say 
that a simulated protocol j is aborted if the verifier fails to reveal Vij when 
scheduled to do so. Note that rewinding and choosing a new path can change 
whether a simulated protocol is solved or is aborted. 

If protocol j has been solved, the simulator simulates the prover’s messages as 
follows. If the prover is supposed to send pij then it sends vij if it is known and 
an arbitrary string otherwise. During the main body of the proof, the simulator 
has a witness to the statement being proved, and acts according to the algorithm 
used by an honest prover. In particular, no rewinding is ever needed. 

2.5 The Simulator 

We let ko be a constant set to the initial value of fc, which denotes the number 
of concurrent proofs. We show that if the number of message exchanges in the 



422 



Ransom Richardson and Joe Kilian 



preamble is m = for any e > 0 then the above protocol can be simulated 
in time This section describes the look-ahead procedure used by the 

simulator and how the simulator works in normal mode. 



Look-Ahead Mode An n-proof look-ahead is a procedure used by S to gather 
information about the messages V is likely to send in the future. In the look- 
ahead phase, the simulation is allowed to proceed until certain events occur 
that cause it to be (prematurely) ended. The limited duration of the look-ahead 
makes it much more efficient than a full simulation, and indeed it is called many 
times during the simulation. 

The n-proof look-ahead is called when S is required to commit to some pij . 
The main simulator runs many (lOOfco^, to be precise) look-ahead simulations; 
we call these threads. We first describe one of one such thread, then describe 
how to use the results from many threads. 

In the course of the simulation, the simulator is required to commit to strings 
Pa,b and to engage in the main body of proofs. Along the way, it receives the 
values of strings Va,b- A particular run of the n-proof look-ahead terminates when 
either Vij has been revealed or the n-|-l®* new proof, which started since the look- 
ahead began, is seen. The former case means that the mission is accomplished: 
S can set pij = Vij. The latter case means that the simulation is proceeding 
too far and risks becoming too complicated; it may not be cost effective to keep 
waiting for Vij to be revealed. 

We differentiate between the protocols 1, . . . ,z that have already begun and 
the protocols z -\- 1, . . . , z -\- n that begin during the look-ahead simulation. 
The look-ahead simulator recursively starts a normal-mode simulator (described 
later). The normal-mode simulator requires a parameter specifying the maxi- 
mum number of simultaneous proofs; this parameter is set to n. All messages 
and requests related to proofs z -k 1, ■■ ■ , z ri are forwarded to this recursive 
simulation. 

The normal-mode simulation has the property that, with all but negligible 
probability, by the time Pm,a has been committed to, proof a will have been 
solved (see lemma 0. The look-ahead mode is less careful about solving proofs 
which began before the look-ahead. In this mode, S may commit to Pm,a for 
an unsolved proof, and subsequently be unable to enter the main body of the 
proof. However, S will only get stuck if Vm,a is revealed. Whenever this happens, 
S aborts the look-ahead and rewinds. We note that this rewinding will take 
S to before it committed to Pm,a^ so proof a is now solved. Since less than 
kf) proofs can begin before any given look-ahead, only k^ of the look-ahead 
simulation paths will be aborted (the effect of these aborted paths is dealt with 
in lemma o. Because these simulation paths are always rewound they will not 
affect the distribution of the normal-mode simulation. 

We formally describe the n-proof look-ahead simulation by a case analysis 
of how the simulator responds to various messages. Only the first three cases 
are related to the purpose of the look-ahead; the rest are simply to keep the 
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simulation going in a faithful fashion. By convention, the simulation takes as its 
first message the message being handled at the time it was called. 

V — > S: Valid revelation of Vij. 

S — > V: Terminate the simulation, (proof j has been solved) 

V ^ S: A commitment to Vl^a^ ■ • ■ , fm,a, for a = z -I- n -I- 1. 

S V: Terminate the simulation, (look-ahead is finished) 

V — !■ S: Invalid revelation of Vij. 

S ^ V: Terminate the simulation, (no chance of recovering Vij) 

V — > S: Any message related to protocol a, for z < a < z -I- n. 

S — > V: Forward the message to the recursive simulation. 

(We assume 1 < a < z in the remaining) 

V — > S: Any message related to a solved proof a. 

S — > V: Answer according to the standard fashion for solved proofs. 

V — > S: Valid revelation of Vb^a, where a is unsolved and b < m. 

S ^ V: Commit to an arbitrary (random) value of pt+i^a- 

V ^ S: Invalid message related to proof a 

S — > V: Sign-off message from simulated prover for proof a. 

V — > S: The value of v„i,a for an unsolved proof a. 

S — > V: Abort this line of the simulation, (the simulator cannot simulate the 

main body of the proof of an unsolved proof) However, note that proof a is now 
solved at the point where the look-ahead simulation began, which allows us to 
bound how often this bad case occurs. 

Combining the Result of the Look-Aheads. Each run of the n-proof look- 
ahead simulation either returns a solution to the proof (vij) or announces a 
failure to do so. To give a faithful simulation, the simulator must flip coins 
(e.g., when committing to pb^a- Thus, there is a probability distribution on these 
results. In the normal-mode simulation, whenever the look-ahead simulation is 
invoked it is in fact invoked lOOfco^ times. If a solution is found in any of these 
invocations, the proof is solved. Otherwise, we will argue that with high (but 
not overwhelming) probability, at least n proofs in the actual (normal-mode) 
simulation will be started before Vij is revealed. 

Normal Mode Simulation Our simulator, working in normal mode, services 
the requests for up to k asynchronous proofs; the parameter k will be changed 
during recursive calls. Valid responses from S can take the following form: 

— S signs off due to an invalid message. 

— S engages in the main body of a proof. 

— S commits to some pij . 
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Handling invalid messages is trivial. Once S has solved a proof a, it can easily 
engage in the main body of a proof as a prover, since it has a witness for this 
proof. We will ensure that with all but negligible probability, S will always have 
solved a proof before it enters into the main body. 

When S must commit to some pij, it runs the n-proof look-ahead procedure 
lOO/co^ times, where n = |"2fc/m], in an attempt to recover . If it succeeds it 
commits to pij = Vi^', otherwise, it commits to an arbitrary value of pij. 

As before, we describe the behavior of S by its response to various messages. 

Any message related to a solved proof a. 

Answer according to the standard fashion for solved proofs. 

A commitment to vi^a, ■ ■ ■ , Vm,a- 

Invoke the n = [2/c/m] -proof look-ahead simulation IOO/cq^ times. If 
vi^a is recovered, set pi^a = vi,a, else set pi^a arbitrarily. Commit to pi,a- 

valid revelation of Vb,a, b < m. 

Invoke the n = 2fc/m-proof look-ahead simulation lOOfco^ times. If 
recovered, set pb+i,a = Vb+i,a, else set pb+i,a arbitrarily. Commit to 

Any invalid message related to proof a 
Sign-off message from simulated prover for proof a. 

3 Analysis of the Simulation 

Theorem 2. The simulator, S, described in Section ^is a black box simulator 
for the protocol in Section n that runs in time on k non- synchronized 

proofs when m = k'^ for e > 0. 

Proof. (Sketch) This theorem will follow from the following lemmata. Lemma 0 
and Lemma Elshow that it runs in time Lemma 0shows that the simu- 

lator produces a valid output as long as it never gets stuck. LemmaEI shows that 
the chance of getting stuck is negligibly small in m and the security parameter 
for the bit commitment schemes. □ 



S: 

V: 

Vb+I,a is 
Pb-|-l,a- 

S: 

V: 



S: 

V: 

S: 

V: 



3.1 Bounding the Running Time 

We assume that a simulator can handle a single message and give a response in 
unit time. We note that since we consider the main body of the proof to be a 
single message, we consider that proof to be given in unit time. A more precise 
(and more cumbersome) statement is that the running time is times the 

amount of time it takes to perform the main body of the proof. 

Lemma 3. The running time of the simulator is bounded by the function 

t{k) = 100TOfco^t([— 1) + 
m 
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Proof. (Sketch) First we note that each look-ahead thread begins a recursive 
simulation that handles up to further proofs. This takes time bounded by 
Each look-ahead is repeated up to lOOfco^ times and S may attempt 
to solve each of the ko games by performing these look-aheads in m different 
places. This results in the coefficient of lOOmfco^. Each look-ahead thread also 
handles messages from previous game, whether solved or not. This takes unit 
time for each message. The number of messages, games and look-aheads are all 
polynomial in ko- So the cost of this in all look-aheads is bounded by the ko^^^^ 
term. □ 



Lemma 4. The recurrence t(k) = + is whemn = 

ko". 

Proof. (Sketch) At each recursive step, k is divided by ko"l2. Thus the total 
depth of the recursion is 0(l/e). Both the coefficient of for the recursive term 
and the cost at each level of the recursion are bounded by ko^^^\ Therefore, the 
total cost is □ 

3.2 The Simulation Is Valid 

Note that (S', V) doesn’t just simulate the conversation, it implicitly simulates 
the internal state of V - that is, the state of the “black-box” V that S is interact- 
ing with. We can consider the conversation generated thus far to be part of V’s 
internal state. Thus, the process of S interacting with V constitutes a sequence 
of transformation on V’s state. We can similarly consider the interaction of P 
and V to be a sequence of transformations on V’s state. 

We say that S becomes stuck if it enters the main body of a proof that 
hasn’t been solved. We designate all other moves made by the simulator as safe. 
Lemma 0 says that S will produce a valid simulation as long as S only performs 
safe moves. 

Lemma 5. Any sequence of safe operations performs the identical (up to com- 
putational indistinguishability) transformations on V as the corresponding oper- 
ations performed by P. 

Proof. (Sketch) Whenever S interacts in a solved proof, it has a witness for 
the statement to be proven. Due to the witness indistinguishability of the zero- 
knowledge proof in the main body, and the security of the bit commitment 
scheme used by the prover, all actions taken by S are computationally indistin- 
guishable from those taken by any other prover. 

When S commits to pij, it may first launch into many recursive subsimula- 
tions involving many backtrackings. However, at the end of all these subsimula- 
tions, S restores V to its initial state, chooses a value for pij and commits to 
Pij. The value of pij depends on the results of these subsimulations; its distri- 
bution may be completely different from that generated by P (indeed, whenever 
a proof is solved, it’s distribution is quite different). However, the distribution 
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of messages sent for the commitment is the same (up to computational indistin- 
guishability), regardless of this value. 

Finally, by inspection, S responds to any illegal messages the same way as 
does P. □ 

Note that the notion of a corresponding operations makes sense, because nei- 
ther S nor P can control which type of operation it must make in response to V. 
Here, we are appealing to the computational indistinguishability of the commit- 
ment scheme from the prover to the verifier and the witness indistinguishability 
of the zero-knowledge protocols. 

Now, given a particular configuration of V, S may run many simulations, 
due to the look-ahead mode. However, these simulations are ultimately thrown 
away. If one ignores all simulation threads arising from further recursive calls to 
the look-ahead mode (a currently active look-ahead mode may be continued), 
one obtains a unique sequence of transformations on V . This holds regardless 
of whether the particular configuration of V is encountered in normal mode or 
look-ahead mode. We call this sequence the main line of the evolution of V. 

The main line of V from its starting configuration constitutes the simulation 
of the proofs. The main line from the beginning of a look-ahead thread goes to 
the point where S has finished this line or has been forced to discontinue the 
simulation (or get stuck). 

Lemma 6. Consider the evolution ofV’s configuration along its main line. As- 
suming that S never gets stuck, this evolution will be indistinguishable from the 
corresponding evolution obtained by interacting with P. 

Proof. (Sketch) The evolution of V consists of it sending messages to S {P} 
and then having S {P} perform operations. As long as S doesn’t get stuck, 
all of its operations will be safe, and by Lemma 0 their effect on V will be 
indistinguishable from the effect of the corresponding operations performed by 

P. 

It remains to be shown that the evolution of V when it generates its next 
message in the simulation is faithful to that in the actual protocol. Note that this 
is a nontrivial statement: S could conceivable run V many times and pick a path 
in which V sends a message that is amenable to S. However, by inspection of 
the simulation algorithms, S never selects which path to follow based on what V 
says. Indeed, it’s selection process is completely rigid: Paths taken in look-ahead 
mode are ultimately not pursued; the main line path is pursued, at least locally 
(it may be thrown away later if it is part of a larger look-ahead path). Along 
any mainline path, S obtains P’s message exactly once, by running V in the 
normal matter. Hence, P’s internal evolution is also identical to that obtained 
by interacting with P. □ 

3.3 Bounding the Probability of Getting Stuck 

LemmaEI implies that the main line from a configuration of P is indeed simulated 
correctly, as far as it goes (since in look-ahead mode, a simulation is typically 
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ended prematurely) and as long as S doesn’t get stuck. We now show that S 
gets stuck along any main line with negligible probability. 

While in look-ahead mode, S never becomes stuck on a proof which began 
before the look-ahead, since it simply aborts the thread if it is about to become 
stuck. From then on that proof is solved, so the number of times S aborts is 
limited. This strategy cannot be employed in normal mode (at least on the top 
level of the recursion) since such stopping would constitute a failure to finish the 
overall simulation. 

Recall that for any proof started in normal mode, the simulator tries m times 
to solve some proof a, by going into look-ahead mode in order to determine Vi^a 
for each i. We characterize the various outcomes of this attempt. 

— (complete success) The look-ahead recovers Vi^a, solving proof a. 

— (win by forfeit) During the main line, the next mesage from V regarding 
proof a is ill formed (does not reveal Vi^a when it should have). 

— (honorable failure) The look-ahead fails to solve proof a, and during the 
main line more than 2k /m new proofs are begun before V reveals Vi^a- 

— (dishonorable failure) The look-ahead fails to solve proof a, then during the 
main line, at most 2k /m new proofs are begun, after which V then sends a 
correct revelation of Vi^a- 

Clearly, a single complete success or a win by forfeit will cause the game to be 
solved. We must show that with high probability, one of the m attempts will 
result in a complete success or a win by forfeit. 

We next observe that an honorable failure can happen at most m/2 times. 
Since the normal-mode only handles k games, m/2 honorable failures result in 
more than {/2k /m) ■ {m/2) = k new games, a contradiction. Thus, it remains to 
bound the probability of m/2 dishonorable failures. 

We will prove that the chance of getting stuck at any level in the recursion 
is negligibly small by using induction on k (the number of proofs in a call to the 
simulator). The base case. A: = 1, is when the simulator is solving a single proof. 
The look-aheads will never encounter another proof and as a result can never 
become stuck. The following lemma will be needed to complete the inductive 
step. 

Lemma 7. During any attempt to solve proof a the probability of a dishonorable 
failure is at most 1/10 as long as the chance of getting stuck in a look-ahead is 
negligibly small. 

Proof. (Sketch) S attempts to solve proof a by performing lOOfco^ look-aheads 
after being asked to commit to pi^a- We note that since these look-aheads have a 
negligibly small chance of getting stuck, lemma El implies that they give a valid 
sampling of the possiblie paths of the conversation. In order for a dishonorable 
failure to happen V must not reveal Vi^a during any of those look-aheads but 
then reveal it when S continues on in normal mode. We may assume that the 
chance of V revealing Vi^a is at least p = 1/10. 

Now we must show that the chance of S not learning Vi^a in any of the look- 
aheads is smaller than p. We must remember that some of the look-aheads could 
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have been aborted if V revealed Vm,b for some unsolved proof b. But each time 
a look-ahead is aborted we solve proof b. So the maximum number of times the 
look-ahead is aborted is ko — 1. Thus we need to show that the chance of seeing 
Vi^a at least ko times is greater than p. 

It is easy to verify that for any b < a/3, < {//) /2. Therefore the chance 

of seeing Vi^a at most ko times is at most twice the cost of seeing it exactly ko 
times. This cost is less than 



_^^100feo"-fco 

Which is dominated by the (9/10)®®^° and therefore (much) less than 1/10. 

Note that the above argument glossed over the fact that the safe steps are 
only computationally close to “real” steps. By a standard argument, this does 
not affect the analysis by more than a negligible amount. □ 



Lemma 8. The chance of S getting stuck is negligibly small in m and the se- 
curity parameter of the hit commitment scheme. 

Proof. (Sketch) We use induction on k. In the base case of fc = 1 the simulator 
will trivially never get stuck because there are no proofs to get stuck on. By 
induction we may assume that all look-aheads (which have smaller values of 
k) get stuck with negligibly small probability. The total number of look-aheads 
must be polynomial because the total running time of S is polynomial (see 
Lemma [3] and Lemma B- Therefore the total chance of getting stuck in any 
look-ahead is also negligibly small. By lemmaQthe chance of each dishonorable 
failure is less than 1/10. We note that for S to get stuck during a proof it 
must have had at least m/2 dishonorable failures. The chance of this is less 
than < 2 '"/ 2 (i/io )"*/2 < There are a total of at most k 

proofs on which the simulator can get stuck, so the total chance of getting stuck 
is negligibly small. 

Note that as with the previous argument, the above argument glossed over 
the fact that the safe steps are only computationally close to “real” steps. For 
this reason, the probability of getting stuck is negligibly small, not exponentially 
small. □ 

4 Extensions and Open Questions 

4.1 Extensions 

Our proof assumes that k is known. In the case where k is unknown, S may 
start by assuming that k = 1 and double k and restart the interaction each 



On the Concurrent Composition of Zero-Knowledge Proofs 429 



time it discovers that k is larger than it assumed. It is easy to verify that this 
has no effect on the output distribution and that the total running time is still 
polynomial. 

We do not really need to have globally agreed upon commitment schemes. 
The modification is to add two messages to the protocol in which each party 
specifies the commitment scheme that should be used to commit to it (first the 
verifier, then the prover). The property we desire is that the commitments are 
unconditionally guaranteed to be zero-knowledge, regardless of how it is specified 
(illegal specifications are treated as invalid messages). Thus, a party can use the 
other party’s bit commitment system without any loss of its security. The party 
specifying the protocol has no obvious reason to make it easy to break, but this 
is not enforced. Such bit commitment schemes are easily constructed based on ^ 
and Due to space limitations, details are omitted from this manuscript. 

We also note that there is essentially no reason why our construction doesn’t 
work even if the k proofs are different. 



4.2 Open Questions 

It is unknown whether there is a perfect simulation for non-synchronized compo- 
sition of zero-knowledge proofs. We note that in the case when V always follows 
the protocol and successfully reveals Vi we can modify the simulator so that it 
never gets stuck. We do this by having the simulator look-ahead from the point 
it is forced to commit to Pm until Vm is revealed if the proof has not yet been 
solved. If V is required to reveal Vm this is always successful. Then instead of 
being stuck, S is just in a bad case which may take longer to simulate, but it 
is still possible to do in polynomial time. Assuming the existence of a perfect 
commitment scheme, this non-cheating verifier allows us to provide a perfect 
simulation. 

It would also be useful to show that it is possible to simulate non-synchronized 
composition with a constant number of message exchanges in the preamble. 
Again, assuming that the verifier always reveals Vi, our protocol can be modified 
so that it runs in time with a constant number of messages. This is 

interesting because it shows that the techniques used in m to show that any 
four message protocol takes time to simulate can not be extended to any 

constant round proof. 

As mentioned in the introduction, we do not address timing issues in the ver- 
ifier’s attack. Even modeling what zero-knowledge should mean in this context, 
in a way that is both useful and possible, is an interesting open question. 

Finally, it is paradoxical that such seemingly meaningless alterations in the 
protocol can restore zero-knowledge. Intuitively, it seems implausible that the 
protocol has been made more secure in practice. Ideally, one would like to have 
a notion of security that is more or less invariant under such transformations. 
The notions of witness hiding and witness indistinguishable protocols are good 
steps in this direction. 



430 



Ransom Richardson and Joe Kilian 



5 Acknowledgments 

Kilian would like to thank Cynthia Dwork, Uri Feige, Moni Naor, Amit Sahai 
and Erez Petrank for many illuminating conversations on this subject. 



References 

1. G. Brassard, D. Chaum, C. Crepeau. Minimum Disclosure Proofs of Knowledge. 
Journal of Computer and System Sciences, Vol. 37, 1988, pp. 156-189. 

2. C. Brassard, C. Crepeau and M. Yung, “Constant-Round Perfect Zero-Knowledge 
Computationally Convincing Protocols”, Theoretical Computer Science, Vol. 84, 
1991, pp. 23-52. 

3. T. Beth and Y. Desmedt. Identification tokens - or: Solving the chess grandmaster 
problem. In A. J. Menezes and S. A. Vanstone, editors, Proc. CRYPTO 90, pages 
169-177. Springer- Verlag, 1991. Lecture Notes in Computer Science No. 537. 

4. Damgard, Torben P. Pedersen, and Birgit Pfitzmann. On the existence of sta- 
tistically hiding bit commitment schemes and fail-stop signatures. In Douglas R. 
Stinson, editor, Proc. CRYPTO 93, pages 250-265. Springer, 1994. Lecture Notes 
in Computer Science No. 773. 

5. D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. In ACM, editor. 
Proceedings of the twenty third annual ACM Symposium on Theory of Computing, 
New Orleans, Louisiana, May 6-8, 1991, pages 542-552, 1109 Spring Street, Suite 
300, Silver Spring, MD 20910, USA, 1991. IEEE Computer Society Press. 

6. Cynthia Dwork, Moni Naor, and Amit Sahai. Concurrent zero knowledge. In 
Proceedings of the 30th Annual ACM Symposium on Theory of Computing (S TOC- 
98), pages 409-418, New York, May23-26 1998. ACM Press. 

7. C. Dwork and A. Sahai. Concurrent zero-knowledge: Reducing the need for timing 
constraints. Lecture Notes in Computer Science, 1462, 1998. 

8. U. Feige, D. Lapidot, and A. Shamir. Multiple non-interactive, zero-knowledge 
proofs based on a single random string. In Proc. 31st Ann. IEEE Symp. on Foun- 
dations of Computer Science, pages 308-317, 1990. 

9. U. Feige and A. Shamir, “Zero Knowledge Proofs of Knowledge in Two Rounds”, 
Advances in Cryptology - Crypto 89 proceedings, pp. 526-544, 1990. 

10. O. Goldreich, H. Krawczyk. On the Composition of Zero-Knowledge Proof Systems. 
SIAM J. on Computing, Vol. 25, No.l, pp. 169-192, 1996 

11. S. Goldwasser, S. Micali, C. Rackoff. The Knowledge Complexity of Interactive 
Proofs. Proc. 17th STOC, 1985, pp. 291-304. 

12. S. Goldwasser, S. Micali, C. Rackoff. The Knowledge Complexity of Interactive 
Proof Systems. SIAM J. on Computing, Vol. 17, 2(1988), pp. 281-308. 

13. S. Goldwasser, S. Micali, A. Wigderson. Proofs that Yield Nothing But their 
Validity or All Languages in NP have Zero-Knowledge Proofs. J. of the ACM, Vol. 
38, No. 3, July 1991, pp. 691-729. 

14. Johan Hastad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. Con- 
struction of a pseudo-random generator from any one-way function. Technical 
Report TR-91-068, International Computer Science Institute, Berkeley, CA, De- 
cember 1991. 

15. Kilian, Petrank, and Rackoff. Lower bounds for zero knowledge on the internet. 
In FOCS: IEEE Symposium on Foundations of Computer Science (FOCS), 1998. 




On the Concurrent Composition of Zero-Knowledge Proofs 431 



16. Paul C. Kocher. Timing attacks on implementations of Difhe-Hellman, RSA, DSS, 
and other systems. In Neal Koblitz, editor, Advances in Cryptology — CRYPTO ’96, 
volume 1109 of Lecture Notes in Computer Science, pages 104-113. Springer- 
Verlag, 18-22 August 1996. 

17. Moni Naor. Bit commitment using pseudo-randomness. In Advances in Cryptology: 
CRYPTO ’89, pages 128-137, Berlin, August 1990. Springer. 

18. Y. Oren. On the cunning powers of cheating verifiers: Some observations about zero 
knowledge proofs. In Ashok K. Chandra, editor. Proceedings of the 28th Annual 
Symposium on Foundations of Computer Science, pages 462-471, Los Angeles, CA, 
October 1987. IEEE Computer Society Press. 

19. R. Ostrovsky and G. Di Crescenzo. Personal Communication, September 15, 1998. 

20. M. Tompa and H. Woll. Random self-reducibility and zero-knowledge interactive 
proofs of possession of information. In Proc. 28th Ann. IEEE Symp. on Foundations 
of Computer Science, pages 472-482, 1987. 




Pseudorandom Function Tribe Ensembles 
Based on One-Way Permutations: 
Improvements and Applications 



Marc Fischlin 

Fachbereich Mathematik (AG 7.2) 

Johann Wolfgang Goethe-Universitat Frankfurt am Main 
Postfach 111932 

60054 Frankfurt/Main, Germany 
marcSmi . inf ormatik.uni-f rankfurt . de 
http : //www.mi . inf ormatik.uni-f rankfurt . de/ 



Abstract. Pseudorandom function tribe ensembles are pseudorandom 
function ensembles that have an additional collision resistance property: 
almost all functions have disjoint ranges. We present an alternative to the 
construction of pseudorandom function tribe ensembles based on one- 
way permutations given by Ganetti, Micciancio and Reingold 0. Our 
approach yields two different but related solutions: One construction is 
somewhat theoretic, but conceptually simple and therefore gives an eas- 
ier proof that one-way permutations suffice to construct pseudorandom 
function tribe ensembles. The other, slightly more complicated solution 
provides a practical construction; it starts with an arbitrary pseudoran- 
dom function ensemble and assimilates the one-way permutation to this 
ensemble. Therefore, the second solution inherits important characteris- 
tics of the underlying pseudorandom function ensemble: it is almost as 
efficient and if the starting pseudorandom function ensemble is invert- 
ible then so is the derived tribe ensemble. We also show that the latter 
solution yields so-called committing private- key encryption schemes, i.e., 
where each ciphertext corresponds to exactly one plaintext — indepen- 
dently of the choice of the secret key or the random bits used in the 
encryption process. 



1 Introduction 

In P] Ganetti, Micciancio and Reingold introduce the concept of pseudorandom 
function tribe ensembles. Informally, such tribe ensembles consists of pseudoran- 
dom functions that have an independent public key in addition to the secret key. 
Though this public key, called the tribe key, is independent of the secret key, it 
guarantees that any image/preimage pair commits to the secret key. More specif- 
ically, for a random tribe key t there do not exist secret keys k ^ k' and a value 
X such that the functions determined by the keys k,t resp. k',t map x to the 
same value (except with exponentially small probability, where the probability 
is taken over the choice of t). Ganetti et al. Pj use such pseudorandom func- 
tion tribe ensembles to construct perfectly one-way probabilistic hash functions. 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 4.12- mTI 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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In contrast to ordinary one-way functions, such perfectly one-way probabilistic 
hash functions hide all partial information about the preimage (secrecy), yet 
finding a hash value together with distinct preimages is infeasible (collision re- 
sistance). In PI Canetti presents perfectly one-way hash functions based on a 
specific number-theoretic assumption, namely the Decisional-Difhe-Hellman as- 
sumption. Generalizing this result, Canetti, Micciancio and Reingold Q show 
that perfectly one-way functions can be constructed from any cryptographic hash 
function (achieving secrecy statistically and collision resistance computationally) 
or from any pseudorandom function tribe ensembles (with computational secrecy 
and statistical collision resistance). In the latter case, the pseudorandomness of 
the tribe ensemble provides secrecy and collision resistance follows from the 
property of the tribe key. Canetti et al. |Zj also prove that PRF tribe ensembles 
exist if one-way permutations exist. Their construction is a modification of the 
GGM-tree design of PRF ensembles mg combined with a generalization of the 
Goldreich-Levin hardcore predicate H2|. A sketch of this construction is given 
in Appendix El Here, we take a different approach which consists of two ele- 
mentary and independent steps. First, we show that any one-way permutation 
suffices to construct a PRF ensemble such that for distinct secret keys k, k' the 
functions determined by k and k' map 1" to different values. We call such ensem- 
bles fixed- value- key-binding as the key is determined by the function value for 1" 
or, using a minor modification, for any other fixed value instead of 1". Second, 
we prove that fixed- value-key-binding PRF ensembles yield PRF tribe enembles. 
After presenting a conceptually simple construction of fixed-value-key-binding 
ensembles based on the GGM-tree design to the authors of jZj, they pointed out 
an improvement that led to the more practical solution which does not necessar- 
ily involve the GGM-construction. Instead it works with a every PRF ensemble 
by assimilating the one-way permutation to the given ensemble. This yields a 
fixed- value-key-binding PRF ensemble and, in turn, a PRF tribe ensemble which 
is almost as efficient as the starting PRF ensemble. Moreover, if the functions 
of the ordinary ensemble are invertible then so are the functions of the tribe 
ensemble. From a theoretical and practical point of view this gives us the best 
of both worlds: As for the theory, we obtain a simple proof that the existence of 
one-way permutations implies the existence of PRF tribe ensembles. For prac- 
tical purposes, we present a construction where pseudorandomness is slightly 
harder to prove, but which has nice properties. In both cases, the second step 
deriving the tribe ensemble from the fixed-value-key-binding ensemble is iden- 
tical. We give an outline of this part. It is a reminiscent of Naor’s statistically- 
binding bit commitment scheme m There, the receiver sends a random 3n- 
bit string A to the committing party who applies a pseudorandom generator 
G : {0, 1}" ^ {0, 1}^" to a random value r G {0, 1}" and returns G(r) © A to 
commit to 1 resp. G(r) to commit to 0. The receiver cannot distinguish both cases 
with significant advantage because of the pseudorandomness of the generator’s 
output. On the other hand, to open a commitment ambiguously the sender has to 
find r, r' such that G(r) = G(r') © A. But # {G(r) © G(r') | r, r' } < 2^", hence 
A G {G(r)©G(r') | r, r'} with probability at most (over the choice of A). 
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This means that the commitment cannot be opened ambiguously with probabil- 
ity at least 1 — 2“”. We adopt this idea to define our PRF tribe ensemble. Given a 
fixed- value-key-binding PRF ensemble we define an appropriate fixed- value-key- 
binding PRF ensemble with functions that stretch the input to a 

sufficiently large output. We then show that there exists a value Ik (depending 
on the secret key k) and a function XOR(t, /fc) of the tribe key t and Ik such 
that from the key-binding property it follows that for different keys fc, k' and 
random t the value XOR(t, /fe) 0 XOR(t, /fc/) is a uniformly distributed string 
having the same length as the output of In other words, XOR{t,Ik) is 

an xor universal hash function with argument Ik and description t. Define 
the functions of the PRF tribe ensemble by fl(x) = ©XOR(t,/fc). 

A collision fl{x) = fl,{x) for x,k ^ k' implies 

{x) © (x) = XOR(t, Ik) © XOR(t, 4, ) 

Since the output length of the functions in is much bigger than the input 

length and as XOR(t, 4 ) © XOR(t, 4 ' ) is a random string for random t, collision 
resistance of the tribe ensemble is obtained as in Naor’s bit commitment scheme. 
Additionally, we will show that the pseudorandomness of the tribe ensemble 
follows from the pseudorandomness of . 

Finally, based on our PRF tribe ensemble, we present a committing private- 
key encryption scheme, i.e., such that one cannot later open an encryption am- 
biguously by pretending to have used a different secret key. Secure committing 
public-key encryption systems can be derived for example from trapdoor per- 
mutations using the Goldreich-Levin hardcore predicate. In fact, constructing 
the opposite, public- key schemes that allow to open encryptions ambiguously, 
is a very interesting problem, because such schemes yield multiparty protocols 
secure against adaptive adversaries Given an arbitrary fixed-value-key- 

binding PRF ensemble we present a straightforward solution for a committing 
private-key system. Unfortunately, this scheme allows to deduce if two encryp- 
tions have been generated with the same secret key; a drawback which schemes 
based on PRF ensembles usually do not have. Therefore, we present another 
committing system that does not have this disadvantage, and prove that this 
scheme is secure against chosen ciphertext and plaintext attacks or, equivalent, 
non-malleable. 

2 Preliminaries 

For sake of self-containment, we briefly recall basic definitions of pseudorandom 
functions, pseudorandom generators, etc. See El for the underlying intuition. 
At the end of this section, we repeat the GGM-construction and the definition of 
pseudorandom function tribe ensembles. We present all definitions for uniform 
adversaries only; replacing the term “polynomial-time algorithm” by “polyno- 
mial circuit family” one easily obtains the nonuniform counterpart. 

^ Actually, this string will be uniformly distributed in a sufficiently large subset of the 
binary strings of the output length. 
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A function S{n) is called negligible in n if S{n) < l/p(n) for any positive poly- 
nomial p{n) and all sufficiently large n. A polynomial-time computable function 
/ is one-way if for any probabilistic polynomial-time algorithm A the probabil- 
ity Prob [A(1”, /(a:)) G that A outputs a preimage of f{x) for random 

X G {0, 1}” is negligible in n. A one-way function / is a one-way permutation 
if / permutes {0, 1}" for every n. A hardcore predicate of a one-way function 
/ is a polynomial-time computable predicate B such that for any probabilistic 
polynomial-time algorithm A it holds that Prob[ A(l”, /(a;)) = B{x)] for ran- 
dom X G {0, 1}" is negligible in n. According to a result of Goldreich and Levin 
m every one-way function can be modified to have a hardcore predicate. A 
polynomial-time computable function G is a pseudorandom generator if there 
exists some function £(n) such that ^{n) > n and G{x) G {0, for all 
X G {0, 1}" and all n, and such that for any probabilistic polynomial-time algo- 
rithm D the advantage |Prob[D(G(a;)) = 1] — Prob [£>(?/) = 1]| is neglible in n, 
where x is chosen at random from {0, 1}" resp. y from {0, Pseudorandom 

generators exist if and only if one-way functions exist HH. A function ensemble 
with key space K = {AT„}nG]Nj input length in(n) and output length out(n) is 
a sequence F = of function families = {fk\k^K„ such that for 

any k G Kn the function fk maps bit strings of length in(n) to bit strings of 
length out(n). A function ensemble is polynomial-time computable if the length 
of the keys of AT = {K„} and in(n) are bounded by some polynomial in n and 
if there exists a polynomial-time algorithm Eval such that Eval(A:,a;) = fk{x) for 
all n, k G Kn and x G {0, In the sequel we denote hj TZ = 
the function ensemble that contains all functions g : { 0 , 1 }“^"^ ^ { 0 , 1 }°“*^”^; 
here in(n) and out(n) and therefore the key space of TZ^'G will be understood 
from the context. A polynomial-time computable function ensemble F (with key 
space K and input/output length in(n) and out(n)) is a pseudorandom function 
ensemble (PRF ensemble) if for any probabilistic polynomial-time algorithm D, 
called the distinguisher, the advantage |Prob [Z?^(l") = l] — Prob[Z?®(l") = 1]| 
is negligible, where / is chosen at random from (by selecting a random key 
from Kn) and 5 is a random function of (where each function in has 
input/output length in(n) and out(n)). A PRF ensemble F with key space K 
and input/output length in(n) = out(n) is called a pseudorandom permutation 
ensemble (PRP ensemble) if fk is a permutation for any key k G F„ and the 
advantage |Prob[F^(l") = l] — Prob[F®(l”) = 1]| is negligible for any prob- 
abilistic polynomial-time algorithm D, where / is a random function of F*-"^ 
and 5 is a random permutation with input/output length in(n) = out(n). A 
PRP ensemble F is said to be a strong PRP ensemble if it even holds that 
|Prob[F-^’^ (1") = 1] — Prob[F®’® (1") = 1]| is negligible for any probabilistic 

polynomial-time algorithm D. 

Pseudorandom function ensembles can be constructed from any pseudoran- 
dom generator via the GGM-tree design m- Let G denote a length-doubling 
pseudorandom generator, i.e., with output length £(n) = 2n; such generators 
can be constructed from any pseudorandom generators by modifying the output 
length. Let G^{x) resp. G^{x) denote the left and right half of G{x) and define 
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the function ensemble F with key space Kn = {0, 1}” and input/output length 
in(n) = out(n) = n by fk(x) = (• • • (A:)) • • • ). Here, xi,... ,x„ G 

{0, 1} and X = xi; - ■ ■ ;Xn is the concatenation of xi, . . . , The function fk 
can be described by a binary tree of depth n where the root is labeled with k and 
each left (right) child of a node v is labeled with G°(label(ti)) resp. G^(label(t’)). 
A value x G {0, 1}" then determines a path from the root to some leaf and the 
function value fk{x) equals the label of this leaf. Goldreich et al. ^21 prove that 
the derived ensemble F is pseudorandom. 

A PRF tribe function ensemble with key space K = {FfnlneiN and tribe key 
space T = {T„}„giN is a function ensemble F = of function 

families F^"^^ = {fl} k^Kn such that ^ is a PRF ensemble for any 
sequence {tnjnGiN) An G T„ of tribe keys, and such that for a randomly chosen 
tribe key t G T„ the probability that there exist x G {0, k,k' G AT„ 
with k ^ k' and fj:{x) = fl,{x) is at most 2“". The latter property is called 
(statistical) collision resistance. 

3 Constructing PRF Tribe Ensembles 

We first show how to construct an PRF ensemble irbmd /fc'"'^(l”) ^ 

/fc'"'^(l”) for keys k ^ k' . Put differently, the function value at 1" commits to 
the key. We therefore say that this ensemble binds the key (for a fixed value) 
because once we have seen the value at 1" one cannot later pretend to have 
used another key. Obviously, we can also take any other fixed value xq instead 
of 1" by setting f^{x) = fk^^ix 0 xq © 1"). We then use such a fixed-value-key- 
binding PRF ensemble to derive a pseudorandom function (with tribe key t) 
where fl(x) yf for any x,k ^ k' with probability 1 — over the choice 

of t. This is achieved by using Naor’s idea as explained in the introduction. We 
can even modify the construction to obtain a key-binding-and-invertible pseu- 
dorandom function that binds the key and can be efficiently inverted given the 
secret key. Particularly, this implies that fk{x) yf fl'W) for {k, x) yf (fc', x') with 
probability 1 — 2“", i.e., the function binds the key and the preimage with high 
probability. This somewhat weaker property can also be derived extending the 
universal hash function XOR(t, /fc) to take arguments x and Ik instead of Ik- 
We discuss this construction at the end of the section. However, it is not clear 
that this solution is efficiently invertible using the key, a requirement that we 
need in Section ^applying our construction to private-key encryption. 



3.1 A Fixed- Value-Key-Binding PRF Ensemble 

Clearly, a pseudorandom function ensemble with /fe(l") yf /fe'(l”) for k ^ k' 
can be derived via the GGM-construction using a length-doubling pseudorandom 
generator G which is one-to-one on the right half. In this case, the function value 
at 1" is G^( - • • G^{k)) and since G^ is one-to-one this yields different values for 
different keys. According to a result by Yao ^ such a pseudorandom generator 



Pseudorandom Function Tribe Ensembles Based on One-Way Permutations 



437 



G where is one-to-one can be constructed from any one-way permutation g 
by setting 



G{x) = B{g{x)); ■ ■ ■ ; '^{x))] g^^^{x) 

Here, g''{x) = g{g^~^{x)) and g^{x) = g{x) and B denotes some hardcore predi- 
cate of g. Obviously, G^(a;) = g^^^{x) is one-to-one (in fact, it is a permutation). 

Another construction of fixed-value-key-binding ensembles was proposed by 
the authors of 0 after presenting the GGM-based approach to them. The ad- 
vantage is that we use the underlying pseudorandom function as a black box 
and merely add the length-doubling generator G (with G^ being one-to-one) on. 
Particularly, instead of using the GGM-construction one can start with any PRF 
ensemble. For instance, more efficient constructions of PRF ensembles based on 
synthesizers PI resp. on the Decisional-Difhe-Hellman assumption m suffice. 
In practice, one can also use appropriate candidates like the forthcoming AES. 

So let be an arbitrary PRF ensemble (the starting point). For simplicity, 
we suppose that each function of maps n bits to n bits and that 

the key length equals n, too. We discuss below how to patch other cases. Set 
kb _ Qb^k) for b € {0, 1} and define the functions of by 




Proposition 1. is a fixed-value-key-binding PRF ensemble. 

Proof. (Sketch) The proof follows by standard hybrid techniques. Given a dis- 
tinguisher that distinguishes f and TZ with advantage S{n) for infinitely 
many n, we either obtain an algorithm that distinguishes the output of G from 
random bits with advantage 5(n)/2 infinitely often or we derive an algorithm 
that distinguishes and TZ with advantage 6{n)/2 for infinitely many n. Ob- 
viously, binds the key for the fixed value 1" because G^ is one-to-one. □ 

Though might be a pseudorandom permutation ensemble, does not 

inherit this property in general. However, a slight modification works: swapping 
the values that map to and /^(f^*(l”) we let 

{ k^ if a; = 1" 

^start(in) ystart(^) ^ ^ ^ (1) 

f^o^'^ix) else 

It is easy to see that is a permutation if is. Moreover, the inverse 

of f^'"^ is efficiently computable (given the key k) if has this property. 

We remark that every PRF ensemble can be turned into a PRP ensemble PH; 
see I2D1 for recent results. Yet, using the Luby-Rackoff transformation, the key 
length of the derived permutation grows. This can be handled by stretching the 
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output length of the generator G accordingly; it suffices that G is one-to-one on 
the bits that replace the output at 1". In particular, if the output length of 
is smaller than right half of G{k) then we can first stretch the output of 
at the cost of decreasing the input length slightly. We will use this technique 
in the next section, too, so we omit further details here. The proof that the 
ensemble defined by equation dD is pseudorandom is similar to the proof 

of Proposition ^ It is also easy to show that is a strong PRP ensemble if 

Fstart 

Proposition 2. If is a [strong] PRP ensemble then as defined in 

equation © is a fixed-value-key-binding [strong] PRP ensemble. 

We remark that once the key is generated (by evaluating the pseudorandom 
generator) computing is as fast as computing Particularly, 

may be any fast practical pseudorandom function candidate. In contrast, using 
the GGM-based approach we have to apply n times a pseudorandom generator 
which is one-to-one on the right half, e.g., based on a number-theoretic one-way 
permutation like RSA. 

3.2 PRF Tribe Ensembles from Key-Binding PRF Ensembles 

Let be a fixed- value-key-binding PRF ensemble (for the value 1"). In 

another intermediary step we define a PRF ensemble that has input 

length n — 3, but stretches the output length to 5n. Define the functions : 

{0,l}-3^{0,l}5-by 

/“(*) = /r'(a;000); • • • ; /,''"^(x011); /fe''"^(xlll) 

Obviously, F®*’’®*®'^ is a PRF ensemble if is. Also note that computing 
takes at most five evaluations of but due to the common prefix one might 
not need to carry out all evaluations of from scratch and save time. 

Now we are able to define our tribe ensemble F of functions : {0, 1}”“3 
{0, 1}^". The tribe key t = (ti, . . . ,tn) consists of n uniformly and independently 
chosen values ti G {0, 1}^" x {0"}, i.e., ti is a random 4n-bit string filled up with 
0-bits. Denote 

4 = = rightmost n bits of /f-®*®^(l"-3) 



and let 



XOR(t,/fc)— ti 

2-th bit(/fc ) — 1 



Then we set 



/ha^) = /“(^)®X0R(f,4) (2) 

Note that once k and t are chosen, XOR(t, Ik) is also fixed. Therefore, evaluating 
at some point x is quasi as efficient as computing {x) . The proof that F 
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is pseudorandom for any sequence of tribe keys is given below. We stress that the 
pseudorandomness of F does not depend on the random choice of the tribe key. 
See the discussion in 0. Also note that if is one-to-one (e.g., a permutation) 
then ^ resp. fl(x) ^ fl(x') for a; ^ x' . 

Proposition 3. F is a PRF ensemble for any sequence of tribe keys. 

Proof. (Sketch) The proof follows by standard simulation arguments. Given an 
adversary D that distinguishes a random function of F and a randomly chosen 
function from the ensemble TZ we obtain a distinguisher that distinguishes 

^stretch ^ Same advantage. Note that both D and are given 

an arbitrary tribe key t as input. For a function / : {0, 1}”“^ — > {0, 1}®” let 
jsim(^) _ J(a:) 0XOR(t,J), where / denotes the rightmost n bits of /(1"“^). 
£)stretch gijnuiates D by answering all oracle queries x with /®™(x), where the 
underlying oracle / of is chosen from F"tretch,(n) j jg chosen 

at random from then P™ is a random function of F. Assume that / is 

a random function of It is easy to see that in this case any value P'"'{x) 

is distributed independently of the other function values. Hence, it suffices to 
show that Prob/ [/^™(a;) = y] = 2“®” for any x,y. This is clear for x yf 1”“^. 
Consider the case x = 1"“^. The rightmost n bits of f{x) are random bits and 
the rightmost n bits of XOR(t, I) equal 0". Hence, with probability we have 
equality on these bits. The leftmost 4n bits of f{x) are random bits that are 
independent of the other n bits. Therefore, the probability that these bits equal 
the leftmost 4n bits of y © XOR(t, I) is 2“^” and both probabilities multiply due 
to the independence. □ 

Recall that a PRF tribe ensemble is collision-resistant (in a statistical sense) 
if there do not exist x and k, k' such that k ^ k’ and fl-{x) = fj.,{x) except with 
exponentially small probability (over the random choice of the tribe key) . In our 
case, we have Ik yf Ik' for k ^ k' and a collision 

fi{x) = /r*='(x)©XOR(t,/fc) = /r*^^cr)©XOR(t,/fc0 = fUx) 
implies 

/f = XOR(t, h) © XOR(t, h') = XOR(t, h © Ik') 

Because Ik® Ik' y^ 0", the value XOR{t,Ik®Ik') is uniformly distributed in 
{0, X {0"} for fixed x,k ^ k' and random t. By the union bound we conclude 
that 



Pvoht[3x,k^ k' s.t. flix) = fl,(x)] < 23-3 . 2-4n < 2-" 

Thus we obtain: 

Theorem 4. The ensemble F defined by equation ^ is a PRF tribe ensemble. 

Clearly, we can lower the error probability of the collision resistance. For 
example, to achieve an error of 2“"^" we extend to 8n bits output and 
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choose the ti’s at random from {0, 1}^” x {0"}. If, in addition to an extended 
output length of at least 6n bits, we use a pseudorandom permutation then 
we derive a pseudorandom function tribe ensemble F such that fl(x) ^ 
for (k,x) ^ {k',x') with probability at least 1 — 2“” (taken over the choice of 
the tribe key only) and which is efficiently invertible given the secret key (for all 
possible tribe keys); to invert a value y = fl(x) invert the rightmost n bits of y 
under the starting pseudorandom function to obtain a;lll and therefore x (note 
that the rightmost n bits of XOR{t,Ik) equal 0”). We call such an ensembles 
key-binding-and-invertible. Observe that the key-and-preimage-binding property 
alone can be achieved by taking output length 8n bits, choosing 2n — 3 strings 
ti from {0, 1}^" X {0"} and letting XOR(t, /fc,a;) be the exclusive-or of the U's 
for which the i-th bit of Ik',x equals 1. 

4 Committing and Key-Hiding Private-Key Encryption 

A well-known private- key encryption scheme based on PRF ensembles is given 
by Encfe(m, r) = (r, /fc(r) © m), where k is the secret key, m is the message and r 
is chosen at random. To decrypt a pair (r, c) compute m = Decfc(r, c) = /fe(r) © c. 
This encryption scheme is not comitting in general, i.e., for an encryption (r, c) 
there might exist (k,m), {k',m') with m ^ m! and Encfc(m,r) = (r, c) = 
Encfc' (m',r). Conversely, we call a cryptosystem committing if for each cipher- 
text c there exists a unique message m such that c must have been derived by 
applying the encryption algorithm to m — this holds independently of the choice 
of the secret key and the coin tosses used during the encryption process. 

Before presenting the formal definition of committing schemes we sketch the 
definition of a private- key cryptosystem. A private- key encryption scheme is a 
triple (KGen, Enc, Dec) of probabilistic polynomial-time algorithms such that 

— KGen on input 1” generates a random key k, 

— Enc on input 1", key k, message m (of some appropriate length) and ran- 
domness r outputs a ciphertext c = Enc(l”, k, m, r), 

— Dec(l”, fc, Enc(l”, fc, TO, r)) = TO. 

Wlog. we assume that 1" is recoverable from k and therefore write Enc(fc,TO,r) 
or EnCfc(TO,r) instead of Enc(l", A:, to, r). Similarly for Dec. 

Definition 5 (Committing Private-Key Encryption Scheme). A private- 
key encryption scheme (KGen, Enc, Dec) is called committing if for any key k, 
message m, randomness r and encryption c = EnCfe(TO, r) there do not exist 
A:', to', / such that m ^ m' and £.nck'{m' ,r') — EnCfc(TO,r). 

Using a fixed- value-key-binding PRF ensemble the obvious solution EnCfc(TO, r) = 
(/fc(l”)Uj fk{r) © to) works. The drawback of this solution is that an eavesdrop- 
per knows whenever the parties change the secret key. In some settings hiding 
this fact might be crucial. For instance, if one party sends the new secret key by 
encrypting it with the current one, then breaking this encryption by an exhaus- 
tive search makes all the following messages visible to the adversary. Applying 
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the key-and-preimage-binding PRF tribe ensemble of Section 0 we can over- 
come this disadvantage. But before presenting our committing and key-hiding 
scheme we formalize the notion of a key-hiding scheme. Let (KGen, Enc, Dec) be 
a private-key encryption scheme and I? be a probabilistic polynomial-time algo- 
rithm. We consider two experiments. In the first experiment, we independently 
execute KGen(l”) twice to obtain two keys k,k'. D is given 1” as input and is 
allowed to query the probabilistic oracles Encfc and Encfc' in the following way: 
In the first part, D is allowed to obtain encryptions of messages of its choice by 
querying the oracle EnCfc. Then it passes a message switch to the oracle Encfe. It 
continues to query for messages of its choice, but this time the answers are given 
by the second oracle Enc^'. Finally, D outputs a bit, denoted {V^), 

and stops. The second experiment differs only in the way the oracles are ini- 
tialized. This time we let k' = k, i.e., we do not change the keys. Denote by 
£)Enc,.Encfc(-j^n) output. 

Definition 6 (Key-Hiding Private-Key Encryption Scheme). A private- 
key encryption scheme (KGen, Enc, Dec) is said to be key-hiding if for any prob- 
abilistic polynomial-time algorithm D the value | Prob (1") = l] — 

Prob (1") = l] I js negligible in n. 

Actually, every securcH scheme should “hide” the key, i.e., it should not reveal the 
key. Otherwise it can be easily broken. However, Definition Eldemands even more. 
For instance, an encryption scheme where each encryption leaks the Hamming 
weight of the key with some probability that is not negligible does not hide the 
key as defined above. Yet, the scheme may be secure. 

We remark that we do not grant D access to the decryption oracles Decfe and 
Decfcq respectively. Otherwise D could distinguish both cases easily: D encrypts 
some message m with the first oracle, sends switch and tries to decrypt with the 
second decryption oracle; this only yields m again if the keys have not changed. 

We define the committing and key-hiding encryption scheme (KGen™”’, Enc™”’, 
Dec™”’). Let F be a PRF tribe ensemble derived by the technique of Section IT^ 
from a key-and-preimage-binding ensemble We assume that some trusted 

party chooses a random tribe key t and publishes it or sends it to the partici- 
pating parties, respectively. Hence, we do not achieve the committing property 
of Definition 0 perfectly, but only with exponentially small error probability. 
Abusing notations we will also call this derived scheme committing. Algorithm 
KGen™”’(l”) selects a random k G F„. Let Enc™”’(m, r) = {fl(r),r (Bm) where 
m,r G {0, 1}"“^. To decrypt a pair {y,c) compute r from the rightmost n bits 
of y by applying the inverse of Finally, recover m by to = r 0 c. 

Proposition 7. The encryption scheme (KGen™”’, Enc™”’, Dec™”’) is a commit- 
ting and key-hiding encryption scheme. 

Proof. (Sketch) It remains to show that the scheme is key-hiding. But this follows 
directly from the pseudorandomness of F'^'"'^. □ 

^ Here, security does not refer to any formal definition. It is used in a rather liberal 
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It is quite easy to see that this scheme is polynomially secure as defined in M- 
We sketch this and other security notions in Appendix^] In fact, it is not hard 
to show either that it is even secure against lunchtime attacks m- 

Proposition 8. The scheme (KGen™^, Enc“^, Dec™^) is a committing and key- 
hiding private-key encryption which is secure against lunchtime attacks. 

The proof is omitted from this extended abstract. 

The encryption scheme can be easily broken with a chosen ciphertext and 
plaintext attacks (see (221 Appendix (BI) because given a ciphertext (y, c) the 
adversary can query the decryption oracle for (y, coil'll) and easily recover 
m from the answer. Using an idea of Bellare and Rogaway |21 we can turn the 
scheme above into an encryption scheme (KGen'^'^'’, Dec'^'^'^) which is secure 

against chosen ciphertext and plaintext attacks. To do so, we let 

Enc^‘^'’(r, to) = (/fc(r; to), r 0 to) 

for TO,r S {0,1}"/^“^. Defining Dec'^'^'’ is straightforward. Loosely speaking, 
appending to to the argument r of the pseudorandom function serves as a proof 
that one knows the values r, to explicitely. Again, the formal proof is omitted. 

Proposition 9. The committing and key-hiding private-key encryption scheme 
(KGen'^'^'’, Enc'^'^*’, Dec'^'^'^) is secure against chosen ciphertext and plaintext at- 
tacks. 

Recently, Dolev et al. (^ showed that (semantic) security against chosen ci- 
phertext and plaintext attacks implies non-malleability. Hence, our scheme is 
non-malleable as well. 
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A The CMR PRF Tribe Ensemble — In a Nutshell 

We sketch the construction of PRF tribe ensembles from one-way permutations 
given in |Z]. See their paper for discussions and proofs. Let g' be a one-way 
permutation over {0, 1}®" and assume that g'{x\ r) = g{x)-, r for x, r G {0, 1}^". 
Furthermore, we can assume wlog. that g has no cycles of length less than 
12n. Let p be a non-constant polynomial over GF[2®”] and define a hardcore 
predicate Bp : {0, 1}®” ^ {0, 1} of g' by the inner product Bp{x] r) = p{x) ■ r of 
p{x),r G {0, 1}^". Then, for any polynomial p, we construct a length-doubling 
pseudorandom generator by 

Gp{x; r) = Bp{x] r); Bp{g{x); r); • • • ; r); /”(x); r 

Denote by Gp{x] r) and Gp(x; r) the left and right half of Gp(x; r). Additionally, 
we let G : {0, 1}" — > {0, 1}®” denote an arbitrary pseudorandom generator which 
is one-to-one on the right half. 

The tribe key t consists of n random, non-constant polynomials pi, ■ ■ ■ ,Pn 
of degree less than 6n. Then let 

fli^) = G;:i---G;i{G{k))) 

That is, fl is a GGM-tree using pseudorandom generators based on the modified 
Goldreich-Levin hardcore predicate. 

B Security Notions of Private-Key Encryption Schemes 

In this section we recall the notions of polynomial security security against 
lunchtimes attacks m resp. against chosen ciphertext and plaintext attacks |22| . 
See m for further security definitions for symmetric schemes. We refer the reader 
to 1^ for a definition of non-malleable schemes, a notion that turned out to be 
equivalent to security against chosen ciphertext and plaintext attacks. 

Gonsider the following attack on a private-key cryptosystem. Let {F, D) be a 
pair of probabilistic polynomial-time algorithms. First, a secret key k is chosen 
according to KGen(l”) and kept secret from F and D. Then the message finder 
F gets the input 1" and outputs two messages mo, mi. Let b G {0,1} be a 
fixed bit. A ciphertext c = Encfe(m{,,r) for randomness r is generated. Now D 
is given input 1", mo, mi and c and is supposed to predict b, i.e., to distinguish 
encryptions of mg and mi. Let Spjj{n) denote the probability that D outputs 
1 if mb is encrypted. The probability is taken over all random choices, including 
the internal coin tosses of F and D. 

An encryption scheme is polynomially secure if D cannot distinguish an en- 
cryption of mo from an encryption of mi significantly. More formally, it is poly- 
nomially secure if for all (probabilistic polynomial-time) adversary pairs {F, D) 
the value |<5p£,(n) — p{n)\ is negligible in n. 
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A lunchtime attack is similar to the aforementioned attack, but F is also 
allowed to adaptively query the encryption/decryption oracle for plaintexts and 
ciphertexts of its choice before outputting mo, mi, and D is given the history of 
this query/ answer sequence as additional input. An encryption scheme is secure 
against lunchtime attacks if it still holds that \Sp j^{n) — £){n) \ is negligible in 

n for all (probabilistic polynomial-time) adversary pairs {F, D) . 

A chosen ciphertext and plaintext attack is a lunchtime attack where D is 
also allowed to adaptively query the encryption/decryption oracle — though D 
is of course not allowed to decipher the challenge c. Again, an encryption scheme 
is secure against chosen ciphertext and plaintext attacks if |<5^£)(n) — i5p£i(n)| is 
negligible in n for all (probabilistic polynomial-time) adversary pairs (F,D). 
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Abstract. Problems of secure communication and computation have 
been studied extensively in network models. Goldreich, Goldwasser, and 
Linial, Franklin and Yung, and Franklin and Wright have initiated the 
study of secure communication and secure computation in multi-recipient 
(broadcast) models. A “broadcast channel” (such as ethernet) enables 
one processor to send the same message — simultaneously and privately — 
to a fixed subset of processors. In their Eurocrypt ’98 paper, Franklin and 
Wright have shown that if there are n broadcast lines between a sender 
and a receiver and there are at most t malicious (Byzantine style) proces- 
sors, then the condition n > t is necessary and sufficient for achieving ef- 
ficient probabilisticly reliable and probabilisticly private communication. 
They also showed that if n > [3t/2] then there is an efficient protocol 
to achieve probabilisticly reliable and perfectly private communication. 
And they left open the question whether there exists an efficient protocol 
to achieve probabilisticly reliable and perfectly private communication 
when [3t/2] > n > t. In this paper, by using a different authentica- 
tion scheme, we will answer this question affirmatively and study related 
problems. 

Keywords: Network security. Privacy, Perfect secrecy. Reliability. 



1 Introduction 

If two parties are connected by a private and authenticated channel, then se- 
cure communication between them is guaranteed. However, in most cases, many 
parties are only indirectly connected, as elements of an incomplete network of 
private and authenticated channels. In other words they need to use intermediate 
or internal nodes. Achieving participants cooperation in the presence of faults is 
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a major problem in distributed networks. The interplay of network connectivity 
and secure communication have been studied extensively (see, e.g., 

For example, Dolev and Dolev et al. |3 showed that, in the case of t Byzan- 
tine faults, reliable communication is achievable only if the systems’s network is 
2A:-|-1 connected. Hadzilacos m has shown that even in the absence of malicious 
failures connectivity t -|- 1 is required to achieve reliable communication in the 
presence of t faulty participants. 



Goldreich, Goldwasser, and Linial El, Franklin and Yung 0, and Franklin 
and Wright 0 have initiated the study of secure communication and secure 
computation in multi-recipient (broadcast) models. A “broadcast channel” (such 
as ethernet) enables one participant to send the same message — simultaneously 
and privately — to a fixed subset of participants. Franklin and Yung ^ have given 
a necessary and sufficient condition for individuals to exchange private messages 
in broadcast models in the presence of passive adversaries (passive gossipers). 
For the case of active Byzantine adversaries, many results have been presented 
by Franklin and Wright jEj. Note that Goldreich, Goldwasser, and Linial HH 
have also studied the fault-tolerant computation in the public broadcast model 
in the presence of active Byzantine adversaries. 



There are many examples of broadcast channels. A simple example is a local 
area network like an Ethernet bus or a token ring. Another example is a shared 
cryptographic key. By publishing an encrypted message, a participant initiates 
a broadcast to the subset of participants that is able to decrypt it. 



We will abstract away the concrete network structures and consider multicast 
graphs. Specifically, a multicast graph is just a graph G{V, E). A vertex A G F is 
called a neighbor of another vertex B G F if there there is an edge {A, B) G E. In 
a multicast graph, we assume that any message sent by a node A will be received 
identically by all its neighbors, whether or not A is faulty, and all parties outside 
of A’s neighbor learn nothing about the content of the message. The neighbor 
networks have been studied by Franklin and Yung in [Oj . They have also studied 
the more general notion of hypergraphs, which we do not need. 

As Franklin and Wright 0 have pointed out, unlike the simple channel model, 
it is not possible to directly apply protocols over multicast lines to disjoint paths 
in a general multicast graph, since disjoint paths may have common neighbors. 
Franklin and Wright have shown that in certain cases the change from simple 
channel to broadcast channel hurts the adversary more than it helps, because 
the adversary suffers from the restriction that an incorrect transmission from a 
faulty processor will always be received identically by all of its neighbors. 

It was shown |B| that if there are n broadcast lines (that is, n paths with 
disjoint neighborhoods) between a sender and a receiver and there are at most t 
malicious (Byzantine style) processors, then the condition n > tis necessary and 
sufficient for achieving efficient probabilisticly reliable and probabilisticly private 
communication. They also showed that there is an efficient protocol to achieve 
probabilisticly reliable and perfectly private communication when n > [3f/2], 
and there is an exponential bit complexity protocol for achieving probabilisticly 
reliable and perfectly private communication when [3t/2] > n > t. However, 
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they left open the question whether there exists an efficient protocol to achieve 
probabilisticly reliable and perfectly private communication when [3t/2] > n > 
t. In this paper, by using a different authentication scheme, we will answer this 
question affirmatively and study related problems. We will also show that it is 
NP-complete to decide whether a multicast graph has n disjoint broadcast lines 
(that is, n paths with disjoint neighborhoods). 

Note that, similar as in Franklin and Wright 0, we will only consider the 
scenario when the underlying graph is known to all nodes. For the scenario that 
the graph is unknown, the protocols may be completely different, see Burmester, 
Desmedt, and Kabatianski 0. 



2 Models 



Throughout this paper, n denotes the number of multicast lines and t denotes 
the number of faults under the control of the adversary. We write [S'! to denote 
the number of elements in the set S. We write x Gr S to indicate that x is 
chosen with respect to the uniform distribution on S. Let F be a finite field, 
and let a,b,M G F. We define auth(M, a, 5) = aM + b (following ll()li;ill4l L 
In this paper, we will also use a multiple authentication scheme. That is, for 
a, b, c,d,M G F, let bauth(M, a, 6, c, d) = aM^ + bM"^ + cM + d. Note that the 
main advantage of the function bauth() is that each authentication key (a, 6, c, d) 
can be used to authenticate three different messages Mq, Mi, and M 2 without 
revealing any information of the authentication key. While for the function auth() 
each authentication key (a, b) can only be used to authenticate one message (that 
is, it is a kind of one-time pad) (see Simmons ^S|). Note that den Boer |S| used 
similar polynomials to construct one-time authentication schemes. 



Theorem 1. Let (o, b, c, d) be ehosen uniformly from F"^, Mi G F for i = 0, 1, 2, 
and Si = bauth(Mi, a, 6, c, d) for i = 0,1,2 be the authentieation eode of Mi 
respeetively. Then, for any uq, bo, cq, do G F, 

Pr[a = ao\viewo] = Pr[b = bo\viewo] = Pr[c= co\viewo\ = Pr[d = do\viewo\ = 



where viewo = (Mo, sq , Mi, si, M2, S2) 

Proof. By the condition, we have the following three equations with four un- 
knowns: 

Mq a -f Mq b -f Mo c -t- d = s 0 
a Mf b -\~ M\ c 4 - d = s 1 
M| a -I- Mfb + M2C + d = S 2 - 

Since the coefficient matrix of the above equations is a so-called Vandermonde 
matrix, no value of a can be ruled out. That is, every a is equally likely given 
the values (Mq, sq, M\, si, M2, S2). (A similar argument applies for b, or c or d.) 
This completes the proof of the theorem. □ 
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Following Franklin and Wright 0, we consider multicast as our only commu- 
nication primitive. A message that is multicast by any node in a multicast neigh- 
bor network is received by all its neighbors with privacy (that is, non-neighbors 
learn nothing about what was sent) and authentication (that is, neighbors are 
guaranteed to receive the value that was multicast and to know which neighbor 
multicast it). In our models, we assume that all nodes in the multicast graph 
know the complete protocol specification and the complete structure of the mul- 
ticast graph. In a message transmission protocol, the sender A starts with a 
message drawn from a message space A4 with respect to a certain proba- 
bility distribution. At the end of the protocol, the receiver B outputs a message 
. We consider a synchronous system in which messages are sent via multicast 
in rounds. During each round of the protocol, each node receives any messages 
that were multicast by its neighbors at the end of the previous round, flips coins 
and perform local computations, and then possibly multicast a message. We will 
also assume that the message space Af is a representable subset of the finite 
field F. 

Generally there are two kinds of adversaries. A passive adversary (or gossiper 
adversary) is an adversary who can only observe the traffics through t internal 
nodes. An active adversary (or Byzantine adversary) is an adversary with un- 
limited computational power who can control t internal nodes. That is, an active 
adversary will not only listen to the traffics through the controlled nodes, but 
also control the message sent by those controlled nodes. Both kinds of adver- 
saries are assumed to know the complete protocol specification, message space, 
and the complete structure of the multicast graph. At the start of the protocol, 
the adversary chooses the t faulty nodes. A passive adversary can view the be- 
havior (coin flips, computations, message received) of all the faulty nodes. An 
active adversary can view all the behavior of the faulty nodes and, in addition, 
control the message that they multicast. We allow for the strongest adversary. 
(An alternative interpretation is that t nodes are collaborating adversaries.) 

For any execution of the protocol, let adv be the adversary’s view of the entire 
protocol. We write adv{M, r) to denote the adversary’s view when = M and 
when the sequence of coin flips used by the adversary is r. 

Definition 2. (see Franklin and Wright ]3i) 

1. A message transmission protocol is i5 -reliable if, with probability at least 1 — 15, 

B terminates with . The probability is over the choices of 

and the coin flips of all nodes. 

2. A message transmission protocol is e-private if for every two messages 
Mq,Mi and every r, | Pr[adu(Mo, r) = c] — Pr[adv{Mi,r) = c]| < 2e. 
The probabilities are taken over the coin flips of the honest parties, and the 
sum is over all possible values of the adversary’s view. 

3. A message transmission protocol is perfectly private if it is 0 -private. 

4 . A message transmission protocol is (e,5)-secure if it is e-private and 6- 
reliable. 
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5. An (s,S) -secure message transmission protocol is efficient if its round com- 
plexity and bit complexity are polynomial in the size of the network, log - (if 
e > 0) and log (if S > 0). 

3 Background: Reliable Communication over Neighbor 
Networks 

In this section, we review Franklin and Wright’s Eurocrypt ’98 protocols for 
reliable communication over multicast lines. The reader familiar with these pro- 
tocols can skip this section. For two vertices A and B in a multicast graph 
G{V,E), we say that A and B are connected by n neighborhood (except A and 
B) disjoint lines if there are n lines pi, ■ ■ ■ ,Pn Q V with the following properties: 

— For each j < n, the j-th line pj is a sequence of mj -I- 2 nodes A = Xqj, 
Xij, . . . , Xm-i-i,j = B where Xij is a neighbor of Xi+ij. 

— For each and j 2 with ji j 2 , the only possible common neighbors 

of and Xi^j^ are A and B. 

If there is no ambiguity we drop the “except A and i?.” 

Without loss of generality, in this section we assume that party A (the mes- 
sage transmitter) and party B (the message recipient) are connected by n neigh- 
borhood disjoint lines, and we assume that mi = m 2 = . . . = m„. 

Basic Propagation Protocol (Fhanklin and Wright [8]) In this protocol, 
A tries to propagate a value s^ to B. 

— In round 1, A multicast 

— In round p for 2 < p < m -\- 1, each Xp-ij(l < j < n) expects to receive 
a single element from Xp- 2 j- Let Up-ij be this value if a value was in fact 
received, or a publicly known default element otherwise. At the end of round 
p, Xp-ij multicast Up-ij. 

— In round m -\- 2, B receives a single element from each X^j, or substitutes 
the default element. Let s® be the value received or substituted on line j. 

From now on when a party substitutes the default element, we just say that 
the party substitutes. 

Full Distribution Protocol (Franklin and Wright j^) In this protocol, 
each internal node Xij tries to transmit an element Sij to both A and B. 

— In round I, each Xij(l < i < m, 1 < j < n) multicast Sij to (in particular) 
Xi—i j and Xi^i^j. 

— In round p for 2 < p < m -\- 1: 

• For I < j < n and p < i < m, each Xij expects to be the intended 
recipient of an element from Xi-ij (initiated by Ai_p_|_ij). Let Uij be 
the received value or a default value if none is received. 
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• For 1 < j < n and \ <i<m — p+1, Xij expects to be the intended 
recipient of an element from Xi^ij (initiated by Xi+p-ij). Let Vij be 
the received or default value. 

• For 1 < j < n, B expects to be the intended recipient on the j-th line of 
a single element (initiated by Xm-p+ 2 ,j)- Let s^_p_^ 2 j be the received 
or default value. 

• For 1 < j < n, A expects to be the intended recipient on the j-th line 
of a single element (initiated by Xp_ij). Let Sp_ij be the received or 
default value. 

• Xij multicasts uij to Xi^ij if p < i < m, and Vij to Xi-ij if 1 < z < 
m — p + 1. 

Fact 3. (Franklin and Wright If there are no faults on the j-th line, then 
sfj = sfj for all 1 < i < m. Further, if Xij is the only fault on the j-th line, 
then sf^^ = sfj . 

Reliable Transmission Protocol (Franklin and Wright [5|) In this pro- 
tocol, A tries to reliably transmit a message to B. 

— The nodes on all the n lines execute an instance of the Full Distribution 

Protocol, which takes place during rounds 1 through m-|-l. The element that 
Xij initiates is which is randomly chosen from F^. Let 

and {afj,bfj) be the values that A and B receive or substitute as the element 
initiated by Xij. 

— The nodes on all the n lines execute an instance of the Basic Propagation 

Protocol from A to B, which takes place during rounds m-\-2 through 2m-|-3. 
The element that A initiates is {(z, j, M^, auth(M^, : 1 < z < 

m, 1 < j < n}. In round 2m-|-3, B receives or substitutes {(z, j, j., uf^ ff) : 
I < z < 77Z, 1 < j < rz} on the A:-th line, 1 < fc < rz. 

— Let rk{M) = {j : 3i{M = . = auth(M^^- afj,bfJ)}. B outputs 

that maximizes max^ \rk{M^)\. 

Theorem 4. (Franklin and Wright If5>0,n>t, and |F| > rrmfjd, then 
the Reliable Transmission Protocol is an efficient 6 -reliable message transmission 
protocol. 

4 Reliable and Private Communication over Neighbor 
Networks 

4.1 Survey of Franklin- Wright’s Results 

As in the previous section, we assume that party A (the message transmitter) 
and party B (the message recipient) are connected by rz neighborhood disjoint 
lines. Franklin and Wright showed the following results regarding to privacy in 
broadcast networks: 



452 Yongge Wang and Yvo Desmedt 



1. If n > i, (5 > 0 and £ > 0, then there is an efficient (£, i5)-secure message 
transmission protocol between A and B. 

2. If n > |"3t/2] and i5 > 0, then there is an efficient (0,5)-secure message 
transmission protocol between A and B, that is, a (5-reliable and perfect 
private message transmission protocol. 

3. If t < n < |"3t/2] and (5 > 0, then there is an exponential bit complexity 
(0, (5)-secure message transmission protocol between A and B. 



4.2 The Franklin- Wright’s Open Problem 

They left open the question whether it is possible to efficiently achieve perfect 
privacy when t < n < [3t/2] . That is, does there exist a polynomial time (0, S)- 
secure message transmission protocol between A and B when t < n < |"3t/2]? 
We give an affirmative answer to this question. 



4.3 The Solution 



Intuitively, our protocol proceeds as follows. First, using the Full Distribution 
Protocol from the preceding section, each internal node Xij transmits a random 
authentication key (aij,bij,Cij,dij) Gn to both A and B. Secondly, using 
the Basic Propagation Protocol, B transmits to A a random r F authenti- 
cated by the keys in {(aij,bij,Cij,dij) : 1 < z < m, 1 < j < n}. Thirdly, for 
each 1 < j < n, A decides whether A and B agree on at least one authentication 
key on the j-th line. Let 



= {{ijJ) ■ 






■ d^ -) 



is the first key agreed upon by A and B on the j-th line}. 



Lastly, A encrypts the message using the sum of the pads af. j {{ij,j) G K^) 
and, using the Basic Propagation Protocol, transmits to B the set and the 
ciphertext authenticated by the keys in { {afj , bfj , cfj , dfj ):l<z<m, l<j< 
nj. Lastly, B decrypts the message. 



Perfectly Private Transmission Protocol 

— The nodes on all the n lines execute an instance of the Full Distribution 
Protocol, which takes place during rounds 1 through m -I- 1. The element 
that Xij initiates is (aij,bij,Cij,dij) which is randomly chosen from F^. 
Let {afpbfj,cfpdfj) and {afpbfj,cfpdfj) be the values that A and B 
receive or substitute as the element initiated by Wy- 

— The nodes on all the n lines execute an instance of the Basic Propagation 

Protocol from B to A, which takes place during rounds m-|-2 through 2m-|-3. 
The element that B initiates is {{i, j,r^ ,hdMfh{r^ .afphfpcfpdfj)) : 1 < 
z < TO, 1 < j < nj, where G_r F. In round 2 to-|-3, A receives or substitutes 
{(*) Jj ’’’tj fc> fc) • 1 ^ ^ ^ J ^ on the k-th line, 1 < fc < n. 
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- Let rfc(r) = {j : 3i{r = = bauth(rf„- j,, a: 



J ’ ij ■ 






be the message that maximizes |r^.A(r^)| = max^ |rfc(r'^)|, and let = 

A uA A jA 

’ ’ ^1,3’’ ^1,3 y y J ' 



{{ijj) : j G rfcA(r^),V(0 < i < ij){ufj,,A bauth(r^ 

A computes 

In rounds 2m + 4 through 3m + 5, the nodes on all the n lines execute an 
instance of the Basic Propagation Protocol from A to B. The element that 
A initiates is {(z, j, bauth((z^, : 1 < z < 

m, 1 < j < n}, where (z"^,K^) denotes the concatenation of and 
(without loss of generality, we assume that prefix-free codes are used so that 
we can uniquely recover and from (z^,K^)). In round 3m -|- 5, i? 
receives or substitutes {{iyjyzf^^j^,Kf -j^,uf^^ ^,) : I < z < m, I < j < rz} on 
the fc-th line, 1 < A: < rz. 



- Rk{{zyK)) = {j : 3z((z,iC) = (4, „ fc) 



& uf, i. = bauth((Zj® 



hi.fe 



i,3,kl ’ 



a^j,bfjycfj,d^j))}y and let {z^,K^) be the message that maximizes the 
following: ((z^, iC^))| = max^ |i?fc((z^, iC-®))!. B outputs = z^ — 

E 



%,j- 



The Perfectly Private Transmission Protocol provides efficient (0, <5)-secure 
message transmission provided that the field F used by bauth() satisfies |F| > 
2{3n+jnn ) ^ reliable communication is not possible when t > n, this protocol 
provides matching upper and lower bounds for perfect privacy and probabilistic 
reliability. 



Theorem 5 . If S > 0, n > t, and |F| > 2(3zz -|- mn^)/5, then the Perfectly 
Private Transmission Protocol is an efficient (0, S)-secure message transmission 
protocol. 



Proof. Let wq denote the number of lines with no faults, zci the number with 
exactly one fault, and zu+ the number with two or more faults. Then since 
rz > t, it follows that wq > w+. By Fact 0 \K^\ > Wo + Wi > W+ + Wi. 
Whence there is a {ij->,j*) G such that the j*-th line is a non-faulty line. 



and = 



Oi,. 



bf 



= h 



= Ci,, 



., and dE r* = 



By Theorem 0 the adversary gets no information about af,^ given the view 
advM^y where advM^ consists of the following information: 

„B „B UB „B 



1- {{iyj, J' , bauth(r®, a^, Wi’ : 1 < z < m, 1 < j < rz}; 

2. {(z, j,z^,iG^,bauth((z^,iG^),aW,5W,c(^j,dW)) : 1 < z < m, 1 < j < rz}; 
and 

3. at most one randomly guessed (by the adversary) correct authenticator of 
some random message. 



It should be noted that the above item |3 in the adversary’s view advM^ is 
important for the following reasons: with non zero probability the first trans- 
mission from B to A may fail (i.e. in rounds rrz -I- 2 through 2m + 3). That is, 
the adversary may create a bogus {r^Y (which is different from r^) and guess 
the value ha.uth{{r^y,af__^j,,bY.., j,,cf__^ j.,df,^ j,)) correctly. Then at the end 
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of round 2m + 3, A may choose = (r^)' ■ The consequence is that there may 
be an item such that 



(fA uA A ^ (n^ li^ i 

,i' > "q-/ ,t' ’ ,f ’ “q/ ,i' > ' Wq-/ d' ’ q/ j' > q-' o' ’ q-' o' ' 



It is easy for the adversary to decide whether such kind of item exists in K^. 
When such an item exists, the adversary knows that he has guessed a correct 
authenticator of the message {r^Y ■ 

Since “qd’ every is 

equally likely given advM^ ■ Since this is the only relevant information about 
in adv, we have that Pr[odu(Mo,r) = c] — Fr[adv{Mi,r) = c] for every pair of 
messages Mq and Mi, adversary’s coin flips r, and the possible view c. It follows 
that I Pr[adu(Mo, r) = c] — Pr[adu(Mi, r) = c]| = 0. 

We now prove reliability. Let 



K 



AB 



V(0 < i < ij){{af,M.,cf.,dfA Y- cf,, df,))}. 



It follows from the use of bauth() that the probability that there exists a k and 
r' Y with rfc(r') > wi + w+ is less than or equal to the probability that at 
least one fault node guesses a correct authenticator of r', which is again less than 
mrY /\F\ (see Franklin and Wright 0). That is, the first transmission from B to 
A (i.e. in rounds to + 2 through 2m + 3) succeeds with the probability at least 
1 — mrY j\F\. Let FTR denote the event that the first transmission from B to A 
succeeds. Now assume that and = hdMttiY^ .afpbfpcYj^dfj)). 

Then 

+ d^ 

which implies that is a solution of the equation 

(«5 - + (65 - 65 )( r ^)2 + ( c ^- - + ( d ^- - d ^) = 0 ( 1 ) 

Since a^-, bf^, cY^df^ afj, bfj, cfj, and d^ are fixed before the random choice 
of r'®, and the equation © has at most three solutions, it follows that for any 
fixed (ij,j) G K^, 

Pr[(a5,-,65^.,c5,-,d55 Y (a5,,65,-,c5,-,d55|FTR] < 3/|F|. (2) 



Then, by the relation 0 , 



Pr[RT'^ = RT^i^lFTR] 



E 

(q 






j ,j ’ “q- j ’ "'q- j 



(A 



B 

j >i ' 






c5,.,d55|FTR] 



> 1 - 
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Whence we have 



Pr[K^ = = Pr[K^ = • Pr[FTR] 

mn^ \ 

~w) 

3n + mn 

■ 

A similar analysis shows that the probability that ^ or ^ is 

less than . Hence our protocol is reliable with the probability 





Pr[A:^ = ■ Pt[K^ 



> 




3n + mn? 
|F| 



^ 2(3n + mn^) 

- \F\ 



Since |F| > 2(3n + mn'^)jS, it follows that Pr[M^ = M^] > 1 — i5. □ 



Remark: Note that in rounds 2m +4 through 3m +5 of our Perfectly Private 
Transmission Protocol, the information is transmitted explicitly. Indeed, this 
is not necessary. We can omit the transmission of K^. Then at the end of round 
3m + 5, using the same method that A used to compute the set at the end of 
round 2m + 3, B can compute (which equals to with high probability). 
If is not transmitted explicitly, then we can also use the authentication code 
bauth(M, o, 5, c) = alVP + bM + c instead of bauth(M, a, b, c, d), since even the 
adversary guesses a correct authentication code on a random he has no idea 

whether he has succeed. For this modification, the proof for the corresponding 
Theorem 0 remains the same. 



5 Weak Connectivity 

In a more general setting of multicast graph, there is a channel from each node 
to its neighbor nodes. We say that two nodes A and R of a multicast graph is 
strongly t- connected (which was implicitly introduced by Franklin and Wright 
0) if there are t neighborhoods (except A and B) disjoint paths connecting A 
and B. Franklin and Wright |S| have observed that the multicast lines protocol 
can be simulated on any strongly t + 1-connected multicast graph. That is, if 
A and B are strongly t + 1-connected, then our results in the previous section 
shows that (0, c5)-secure message transmission between A and B are possible. In 
the following, we show that this condition is not necessary. 

Franklin and Yung ^ define that two nodes A and R in a multicast graph 
G(V, E) are weakly t-connected if for any set Vi C P \ {A, R} with \Vi \ < t, the 
removal of neighbor{V\) and all incident edges from G{V, E) does not disconnect 
A and R, where neighbor{Vi) = Vi U {v G V \ 3u G Vi : (u,v) G E} \ {A,B}. 
Franklin and Yung |0| show that it is coNP hard to decide whether a given 
graph is weakly t-connected. 

Let A and R be two nodes on a multicast graph G{V, E) and t < n. We 
say that A and R are weakly {n,t)~ connected if there are n vertex disjoint paths 
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Pi,... ,pn between A and B and, for any vertex set T C [V \ {A,B}) with 
\T\ < t, there exists an j (1 < z < n) such that all vertices on pi have no 
neighbor in T. Obviously, if two vertices are weakly (n, t)-connected then they 
are weakly t + 1-connected. 

Theorem 6. If A and B are weakly (n,t)- connected for some t < n, then the 
Perfectly Private Transmission Protocol in the previous section is an efficient 
{0,S)-secure message transmission between A and B. 

Proof. It follows straightforward from the proof of Theorem O □ 

Franklin and Yung show that, in the context of a t-passive adversary, weak 
t + 1-connectivity is necessary and sufficient for achieving private communica- 
tions. Theorem 0 provides a sufficient condition for achieving perfect privacy and 
probabilistic reliability against a t-active adversary in a general multi-cast graph. 
It is an open question whether the condition in Theorem is also necessary. 

It is easily observed that strong t + 1-connectivity implies weak {t -I- l,t)- 
connectivity. The following example shows that (n, t)-weak connectivity does 
not imply strong t + 1-connectivity. 

Example 7. Let G{V,E) be the graph defined hy V = {A,B} U {vij : i,j = 
1,2,3} and E = {(T,Ui,i) : i = 1,2,3} U : i = 1,2,3; j = 1,2} U 

: 1 = l,2,3}U{(i;ip,U2,i),('C2,2,?^3,2),(?^3.3,^^i.3)}- Then it is straight- 
forward to show that A and B are weakly (3, l)-connected but not strongly 

2- connected in G. 

Theorem E] shows that, for at most one malicious node, efficient (0, <5)-secure 
message transmission between A and B is possible in the multicast graph defined 
in Example 0 Note that this multicast graph is only strongly 1-connected, and 
so Franklin- Wright’s results have no bearing on this example. 

Similarly, for any n > 2 the following example gives a graph G and two 
vertices A and B such that A and B are weakly (n, l)-connected but not weakly 

3- connected. 

Example 8. Let G{V,E) be the graph defined hy V = {A,B} U {vi^j : i = 
1, . . .n; j = 1,2} and E = {{A^Vi^i) : i = 1, . . . ,n} U : z = 1, . . . ,n} U 

{(u,, 2 , S) : 1 = 1, . . . , rz} U {(z;i. 2 , Vi^ 2 ) : z = 2, . . . , J } U j+i_ 2 , ^*, 2 ) : i = 
-I- 2, . . . , n}. Then it is straightforward to show that A and B are weakly 
(rz, l)-connected but not weakly 3-connected in G. 

Then Theorem 0shows that, for at most one malicious node, efficient (0, i5)- 
secure message transmission between A and B is possible in the graph G defined 
in Example 0 The result by Franklin and Yung P] shows that secure message 
transmission between A and B is impossible in this graph when there are two 
malicious nodes. However, if rz > 2t-|-l and we use non-broadcast channels, then 
secure message transmission is possible between A and B against t malicious 
nodes (see, e.g., Dolev, Dwork, Waarts, and Yung 0). It follows that in certain 
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cases broadcast helps adversaries “more”, which contrasts with Franklin and 
Wright’s result 0 that in certain cases broadcast hurts adversaries “more” . 

We close our paper by showing that it is NP-hard to decide whether a given 
multicast graph is strongly fc-connected. 

Theorem 9. It is 'H'P -complete to decide whether a given multicast graph is 
strongly k-connected. 

Proof. It is clear that the specified problem is in NP. Whence it suffices to 
reduce the following NP-complete problem IS (Independent Set) to our problem. 
A similar (but not identical) reduction for a different problem has appeared in 
Burmester, Desmedt, and Wang 0. The independent set problem is: 

Instance'. A graph G(V,E) and a number k. 

Question: Does there exist a node set Vi C of size k such that any two nodes 
in Vi are not connected by an edge in El 

The input G{Vg, Eq), to IS, consists of a set of vertices Vq = {ui, . . . , u„} 
and a set of edges Eq. In the following we construct a multicast graph /(G) = 
MG{V', E) and two nodes A,BgV such that there is an independent set of size 
A: in G if and only if A and B are strongly fc-connected. 

Let V = {A, B} LI {uij : i,j = 1, . . .n} L {ut : i = I, . . . ,n}, and E be the 
set of the following edges. 

1. For each pair i,j = l,... ,n, there is an edge (A, mj) G E. 

2. For each pair i,j = I,... ,n: if there is exists an edge (vi,Vj) G Eg, then 

there are four edges and (uj^i,Uj) in E. 

3. For each i, there is an edge (ui,B) G E. 

It is clear that two paths Pi and P 2 connecting A and B which go through 
Ui and Uj respectively are node disjoint and have no common neighborhoods 
(except A and B) if and only if there is no edge (vi, vj) in Eg. Hence there is an 
independent set of size fc in G if and only if A and B are strongly fc-connected. 

□ 



Similarly, we can define the corresponding problem for weak (n, t)-connec- 
tivity as follows: 

Instance: A graph G(V,E) and two number n> k. 

Question: Is G weakly (n, t)-connected? 

Using a reduction from the NP-complete problem “Vertex Cover” , a similar 
argument as in the proof of Theorem 0 can be used to show that the above 
problem is coNP-hard (the details are omitted). Indeed, it is straightforward 
to show that the above problem belongs to Af (that is, the second level of the 
polynomial time hierarchy). It remains open whether this problem is coNP- 
complete, or A^-complete, or neither. 
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Abstract. We consider re- keying protocols for secure multicasting in a 
dynamic multicast group with a center. There is a variety of different 
scenarios using multicast, presenting a wide range of efficiency require- 
ments with respect to several parameters. We give an upper bound on 
the tradeoff between storage and communication parameters. In partic- 
ular, we suggest an improvement of the schemes by Wallner et al. and 
Wong et al. pun with sub-linear center storage, without a significant 
loss in other parameters. 

Correctly selecting the parameters of our scheme we can efficiently ac- 
commodate a wide range of scenarios. This is demonstrated by Applying 
the protocol to some known benchmark scenarios. 

We also show lower bounds on the tradeoff between communication and 
user storage, and show that our scheme is almost optimal with respect 
to these lower bounds. 



1 Introduction 

Multicast communication (and, in particular, IP multicast routing) is an at- 
tractive method for delivery of data to multiple recipients. The motivation for 
multicast communication is its efficiency - multicast group users get the same 
message simultaneously, hence the reduction of both sender and network re- 
sources. A wide range of applications benefit from efficient multicast: interest 
groups, file and real-time information update, video multi-party conferences, 
on-line games and pay TV are few examples. 

Securing multicast communication is non-trivial and poses a number of chal- 
lenges, ranging from algorithmic problems, through system and communication 
design, to secure implementation. (See overview in |5l4il . 1 The main security con- 
cerns are typically access control — making sure that only legitimate members 
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the author was visiting the IBM T.J. Watson Research Center. 

J. Stern (Ed.): EUROCRYPT’99, LNCS 1592, pp. 459- IT7^ 1999. 
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of a multicast group have access to the multicast group communication, source 
authentication — verifying that received multicasted data is unmodified and 
originates with the claimed source, and maintaining availability — protecting 
against denial-of-service and clogging attacks. 

This paper focuses on providing access control for multicast communication. 
The standard technique to this end is to maintain a common key that is known 
to all the multicast group members, but is unknown to non-members. All group 
communication is then encrypted using the shared key. (We remark that long- 
term secrecy is typically not a concern for multicast communication; encryption 
is used mainly for obtaining short-term access control.) The main problem here 
is key management — how to maintain the invariant that all group members, and 
only them, have access to the group key in a group with dynamic membership. 
We limit ourselves to the case where there is a centralized group controller (or, 
group center) who handles the task of key management. Whenever a member 
joins or leaves the group, the group key needs to be changed and the new key 
needs to be let known to all members. 

We concentrate on efficient schemes for this re-keying problem. In particular, 
we show a tradeoff between communication and storage parameters for the group 
controller and members, and provide nearly optimal upper and lower bound 
for some of these parameters. Our protocol is parameterized in terms of the 
tradeoff, allowing different choices of parameters to result in a variety of scheme 
performances. This makes the protocol suitable for different applications and 
scenarios. The works of 1 1 ,'il 1 4) on efficient re- keying schemes are the starting 
point for this work. 

1.1 Security of Re-keying Schemes 

A standard security requirement from the data encryption mechanism is seman- 
tic security jH] of the group communication. Assuming the usage of appropriate 
(semantically secure) encryption schemes, this requirement reduces to the se- 
mantic security of the group session key fcg, shared by the group members. I.e. 
it is required that an adversary cannot distinguish the real session key from a 
random key. 

If the only operation allowed is joining new users to the group, the re-keying 
problem is solved by simply giving the session key ks to the new users. If back- 
ward privacy is also required (i.e. new users should not have access to past 
messages), then a new session key may be selected and given to the new 
users, and Afc^(/c"®’") is multicasted. (Alternatively, the new key can be locally 
computed as a pseudorandom function of the old key.) 

Removing users from the group requires the change of kg (and possibly other 
data) to guarantee the semantic security of the new key against any coalition 
of removed users. It is stressed that security is required against any coalition of 
removed users. In particular, we do not assume any limit on the size or structure 
of the coalition. 

To be able to focus on the re-keying problem we assume authenticated and 
reliable communication, or more specifically that the messages sent by the group 
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center arrive at their destination and messages are not modified, generated, or 
replayed by an adversary. These concerns should be addressed separately. 

1.2 Efficiency of Re-keying Schemes 

Efficiency of multicast re-keying schemes is measured by several parameters: (i) 
communication complexity, (ii) user storage and (iii) center storage and (iv) time 
complexity. In this paper we concentrate on the communication and storage com- 
plexity measures (of course, without letting the time complexity be infeasible). 

Communication complexity is probably the most important measure, as it is 
the biggest bottleneck in current applications. (Indeed, reducing communication 
is the main motivation for using multicast technology.) 

Reducing the center storage enables small memory in the security module 
(which is responsible for key management). This module is typically separate 
from the module (s) handling group membership; this latter task typically re- 
quires special handling of each member upon joining and leaving the group, and 
is left out of scope of this work. The module separation can be either logical 
or physical. Furthermore, for large groups the membership module may con- 
sist of several disparate components handling different regions, while the key 
management module remains centralized. Also, the performance and latency 
requirement from the key-management module may be more stringent. 

Using our scheme, the center storage may indeed be sub-linear, thereby im- 
proving on the the best previously known schemes isna, without a significant 
change in other parameters. E.g. with current technology, for a million users 
multicast group, our reduction enables a security module with all its storage in 
fast cache memory, making it considerably more efficient. 

The motivation for reducing user storage stems from applications in which the 
users are low-end, and have severe memory restrictions (e.g. when the multicast 
group consists of cable TV viewers and the user module resides in the cable 
converter unit). 

Since there is a large number of potential multicast scenarios it seems unlikely 
that a single solution will fit all scenarios. This motivates a tradeoff between 
efficiency parameters. Simple solutions suggest that such a tradeoff exists: (i) 
One extreme is a center that shares, in addition to the session key, a distinct 
symmetric key with each user. When a user is removed, the center sends new 
symmetric keys and a new session key to each of the users separately. Thus, user 
storage is minimal but the communication costs are proportional to the number 
of group users, (ii) An opposite extreme is having a key for every possible subset 
of users, where every potential user gets all the keys for the subsets that contain 
her. Whenever a user is removed, the session key is set to the key of the remaining 
subset of users. The length of the re-keying message of this solution is optimal 
(it suffices to declare each removed user), but the number of keys held by each 
user is clearly prohibitive (at least 2"“^ keys, where n is the group size). 

Our goal is to study the tradeoff between communication and storage, and 
construct schemes which are flexible enough to fit a variety of scenarios, in a 
way that is provably optimal (or close to optimal). 
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We achieve this goal with respect to the tradeoff between communication 
and user storage. For the tradeoff between communication and center storage, 
our upper bound is better than all previously known schemes. Proving a lower 
bound on the latter tradeoff remains an intriguing open problem. 

1.3 Summary of Results 

We give an upper bound on the tradeoff between user storage, center storage 
and communication, and a lower bound relating user storage and the minimal 
communication. The gap between the bounds is at most logarithmic in the size 
of the group. Moreover, for a natural class of protocols, including all currently 
known ones, the gap is closed, namely our scheme is optimal for this class. Thus, 
our upper bound is nearly optimal with respect to our lower bound, in a strong 
sense. Our upper bounds are based on the re-keying schemes of Wallner et al. 
and Wong et al. mm, with improvements of ^ and McGrew and Sherman 
m- These schemes communicate logn encrypted keys per update, and require 
linear center storage {2n — 1 keys), and logarithmic user storage (logn keys). 

Upper Bound We give an upper bound (i.e. a protocol) which allows trading 
center storage with communication, with the restriction that communication is 
lower bounded as a function of user storage. Specifically, for a group of n users 
with user storage of 6 -I- 1 keys, the communication is 0{bn^^^ — b) encrypted 
keys. Center storage multiplied by communication length is roughly 0(n). 

One instance yields O(logn) communication, O(logn) user storage, 
center storage. This is the first scheme with center storage sub-linear in n. Ot^er 
instances are suitable for different applications, as we demonstrate by applying 
our scheme to benchmark scenarios. 

In practice, re-keying protocols may be used in “batch mode”, where the 
center does not immediately perform updates, but rather waits until several 
updates accumulate and perform all of them at once. (This is acceptable for 
most applications.) Doing this allows in many cases (such as in our scheme) 
significant savings in the communication. However this paper focuses on updates 
one-by-one, as this is the worst case scenario. 

Lower Bounds We first give a lower bound on the communication of re-keying 
protocols as a function of user storage. We prove that if each user holds at most 
6-1-1 keys, the communication costs are at least encrypted messages. 

We further consider the class of structure preserving protocols (to which cur- 
rently known schemes belong M). Intuitively, structure preserving protocols 
are those that maintain the property of “ui knows m keys which U 2 doesn’t” 
across updates. That is, if user ui holds m keys which are not known to user U 2 , 
then after deleting a user us ^ {ui,U 2 } and performing the necessary updates. 
Ml still holds about m keys not known to U 2 - For structure preserving protocols, 
we show a tight (up to small constant factors) lower bound of bn^/^ — b messages 
(matching our upper bound protocol). 

The lower bound is for algorithms that use a “generic” key encryption mech- 
anisms. Formally, we assume a “black-box encryption service” that is the only 
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means of encryption (i.e., the algorithm should provide perfect secrecy in the 
idealized model). Consequently, the implication of the lower bounds is that in 
order to achieve more efficient protocols than ours one would have to use specific 
properties of a particular encryption system, such as exploit algebraic properties 
of the keys used. 

1.4 Related Work 

A different approach to solving the problem of allowing only legitimate users to 
access multicasted data is put forward by Fiat and Naor |^. In their formal- 
ization, a center uses a broadcast channel to transmit messages to a group of 
users U. There are two pre-specified sets: (i) collection 5 C 2^ of legal subsets 
of recipients, and: (ii) collection C C 2^ of possible ’’bad” coalitions. The goal is 
to enable the center to communicate data secretly to a given set S' G 5 of users, 
while preventing any coalition from C — S to gather information on the data. 
Any such mechanism can be used to establish a group key and thus provides a 
solution to the re- keying problem. 

The 0 solution is radically different than ones discussed here. In particular, 
it allows encrypting multicast communication even without requiring all users 
to have a single common key; in addition, joining and leaving of members does 
not necessarily require any action by the other members. However, their solution 
assumes in a critical way some bound on the size or structure of the coalition of 
adversarial non-members. This work considers schemes where no such assump- 
tions are made. 

There have been some works in broadcast encryption models that consider 
lower bounds on storage and communication, and show that both cannot be 
simultaneously low. Luby and Staddon 0 allow arbitrary coalitions, but restrict 
the possible subsets of recipients to be all sets of certain size n — m. In this 
model they study the tradeoff between the number of keys held by each user, and 
the number of transmissions needed for establishing a new broadcast key. They 
assumed a security model that allows translating the problem to a combinatorial 
(set theoretic) problem. Their lower bound states that either the number of 
transmissions is very high, or the number of keys held by every user is high. 

Blundo, Frota Mattos and Stinson [2| and Stinson and Trung H2j study 
communication storage tradeoff in a model of unconditionally secure broadcast 
encryption |2j by providing some upper and lower bounds for key pre-distribution 
schemes (e.g. PCH) and broadcast encryption. This model further differs from 
ours in that information theoretic security is required, and storage and commu- 
nication are measured in terms of amount of secret information stored by each 
user, and the broadcast information rate. 

Organization In Section 0 we describe our communication and encryption 
model. The upper bound scheme is described in Section^ Finally, we prove lower 
bounds on the tradeoff between user storage and communication in Section ^ 
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2 Preliminaries 

Let U denote the universe of all possible userfl and GC denote the group cen- 
ter. We consider a set M = . . . ,u„} C U, called the multicast group (for 

simplicity, GC ^ M). A session key kg is initially shared by all users in M and 
by GC (and is not known to any user v ^ M). In addition, other information 
may be known to the users and the center. We abstract away the details of the 
initialization phase by which the users get their initial information. In particular 
we may assume that each user joining M has an authenticated secure unicast 
channel with the center GC for the purpose of initialization. (In practice this 
may be obtained by using a public key system.) After the initialization phase, 
and throughout the lifetime of the system, the only means of communication 
with group members is via a multicast channel on which the group center may 
broadcast messages that will be heard by all users in U. Our goal is to securely 
update the session key when the group M changes, so that all users in the group, 
and only them, know the session key at any given time. 

A multicast protocol specifies an algorithm by which the center may update 
the session key (and possibly other information) for the following two update 
operations on M: 

— remove{U) where U C M. The result is the removal of users in U from the 

multicast group: = M\U. 

— join{U) where U QU. The result is the joining of users in U to the multicast 
group: M”®’" = MUU. 

Since the worst case for the re-keying protocol is when \U\ = 1, from now on 
we assume |C/| = 1 and measure the efficiency of our protocols accordingly. In 
our description we focus on the removal of users from the multicast group, since 
dealing with joining users is much simpler and can be done with virtually no 
communication overhead. 

Since we do not want to consider specific private key encryption and their 
particular properties, we concentrate on a general key-based model, where the 
cryptographic details are abstracted away. This is modeled by a publically avail- 
able black-box pair E, D, such that E given as inputs a key k and a message 
m outputs a random ciphertext c = E(k,m); given a ciphertext c and a key 
k, the decryption algorithm D outputs the plaintext m. (We assume that the 
encryption is deterministic; that is, two applications with the same message and 
key will result in the same ciphertext. Probabilistic encryption can be built upon 
E, D in straightforward ways.) This model guarantees that, when multicasting a 
message encrypted with a key k, any user holding k will be able to decrypt, and 
any coalition of users that does not hold k gains no information from hearing the 
ciphertext. To formalize our requirement that all encryption and decryption is 
being done via the black-box pair E, D, we let the adversary be computationally 
unbounded. A lower bound in our model means that any scheme which beats the 

^ There is no need to a-priori have an explicit representation of U. For example, U 
may be the set of all users connected to the Internet. 
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bound must be based on a particular encryption scheme and its particular (We 
remark that, although this model is formalized with the lower bounds in mind, 
our re-keying schemes can be proven secure even in this model.) 

Multicast Encryption Protocols We define the model of key-based multicast as 
follows. Let I be a security parameter, and let the number of users n be poly- 
nomial in 1. Let K C {0, 1}* be a set of keys. Each user ut G M holds a subset 
K{ui) C K of keys. In particular, there is a “session key” kg G K such that 
every uG M holds kg. For a set of users U C M we define K{U) = U«gc/ ^(^)- 
We say that a set U C M holds a key k G K \i k G K(U). 

In response to a request for update operation the group center (following a 
given protocol) sends a multicast message that results in changed group keys 
(and possible other keys). For a key k G K and a string m G {0, 1}*, the group 
center GC may send over the broadcast channel the ciphertext Ek{m). Users 
holding k may decrypt and obtain m. After all the ciphertexts for an update 
have been broadcasted by the center, the users who can decrypt ciphertexts do 
so, and follow the protocol specification to update their keys. The new total set 
of keys is denoted by . 

For the definition of security, we consider an adaptive adversary who may, 
repeatedly and in an arbitrary order, submit update (remove/join) operations 
to the center for subsets of his choice, and break into users u GU oi his choice 
(thereby getting all of rt’s information). 

We say that a multicast system is secure if for any adversary, after any 
sequence of operations as above, if the adversary has not broken into any user 
who was in the multicast group while a key kg was the session key, then the 
adversary has no advantage in distinguishing kg from a random key. Note that 
this definition implies backward security as well, since the adversary is not allowed 
to learn any information about a previous session key, unless he broke into a user 
who legitimately belonged to the group at the time that key was used) . We also 
do not put a restriction on the number of users the adversary may break into. 

Finally, by convention, when performing a remove{U) operation, all keys in 
K{U) are removed from (since we require arbitrary resilience, it can be 

shown that there is no advantage in using a key of a removed user to broadcast a 
message, and thus these keys may be removed). In particular, kg is also removed, 
and thus a new key must resume the special role of a session key A:"®’" . 

The communication complexity of an update operation is measured by the 
number of ciphertexts that need to be broadcasted by the center per update (for 
the worst case choice of update), and is denoted by c{n) for a group of size n. 
The storage is measured by the number of keys that need to be stored. 

3 A Re-keying Scheme 

We start by describing two schemes that our construction will be built upon. The 
first (described in Section 1,4. 1 II is a simple scheme achieving minimal (constant) 
storage for the center and each user, but highly inefficient (linear) communica- 
tion complexity. The second (described in Section HO) is a widely used scheme 



466 



Ran Canetti, Tal Malkin, and Kobbi Nissim 



by Wallner et al. and Wong et al. 1 1 ,41 1 4| (with an improvement of 0), which 
we call the basic tree scheme. This scheme achieves logarithmic communication 
complexity and logarithmic storage for each user, but linear storage for the cen- 
ter. We then show (in Section how the basic tree scheme can be generalized 
and combined with the minimal storage scheme, so as to achieve an improved 
scheme with a tradeoff between the parameters. As a special case, we get a 
reduction of the center storage in the tree scheme by a logarithmic factor. 

3.1 A Minimal Storage Scheme 

We describe a simple scheme, which requires the smallest possible amount of 
storage - two keys for the center and each usei0, but is very communication 
intensive, requiring (n — 1) ciphertext sent per removal of a user. We will later 
use this scheme as a building block in our construction. 

In this scheme each user u holds the session key kg, and a unique symmetric 
key ku not known to any other user. The center should be able to generate the 
keys of all users, which is possible by holding a single secret key r, an index to a 
pseudo-random function fr |Zj (which can be constructed from the same black- 
box used for encryption). The keys can be generated by applying the function 
to the user’s index, namely = fr(u). 

When a group of users U is removed from the group, the center chooses a 
new session key and sends it to each user, by broadcasting the ciphers 

EkSkT'") for all u e M"®’" = M\U. 

The security of this scheme is based on the security of the encryption scheme 
and pseudo-random function. The parameters are summarized in Table Q 

3.2 The Basic Tree Scheme 

We describe the scheme by Wallner et al. and Wong et al. [ I ,'il 1 4) (with the 
improvement of 0). For a detailed description, we refer the reader to \mm- 

The group center creates a balanced binary tree with at least n leaves and 
assigns a Fbit random key to every node. Let k^ denote the key assigned with the 
tree root v^. Denote the left and right children of node by fcro,i^o-i and their 
assigned keys by k„Q, k„i respectively (i.e. the left and right children of the node 
indexed by cr are indexed by a concatenated with 0 or 1 respectively). Every 
user in M is assigned a leaf and is given the log n -|- 1 keys assigned to nodes on 
the path from the root to this leaf. Since k^ is known to all group members it is 
used as the session key: kg = kg. 

Notation Let a G {0, 1}*. Denote by cr* the string resulting by erasing the 
i rightmost bits of cr. Denote by flip{a) the string resulting by flipping the 
rightmost bit of a. 

Let G : {0,1}^ ^ {0,1}^^ be a pseudo random generator that doubles the size 
of its input nm. Let Gl{x),Gr{x) be the left and right halves of G{x) respec- 
tively. Upon removal of a user The group center chooses a random number 
{0,1}^. For i= 1,... ,logn the group center sets to GL{rai)^ sets 
r^i+i to Gfl(r^0 and broadcasts 



^ This is minimal by Corollary 0 in the next section. 
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Fig. 1. The basic tree scheme actions when holder of fcon is removed. (The figure 
shows only tree nodes that affected by the removal.) 



E.g. if uoii is removed (see Figure P, rpi is chosen at random, /cq™ is set 
to GL(roi), tq is set to Gfl(roi) and roi is broadcasted encrypted with /cqio- 
Then, fcp®’" is set to GL(ro), is set to Gfl(ro) and rg is broadcasted encrypted 
with fcoo- Finally, the new session key = fc"®’" is set to GL(re) and is 

broadcasted encrypted with k\ . Now, every user can compute the changed keys 
on his root-to-leaf path. 

The basic tree scheme parameters appear in Table P 





minimal storage scheme 


basic tree scheme 


user storage 


2 


log n -|- 1 


center storage 


2 


2n - 1 


communication 


(n- 1) 


log n 



Table 1. Parameters of the basic schemes. 



3.3 On the Storage Requirements of the Group Center 

On first glance, reducing the center storage requirements in the tree scheme may 
proceed as follows. Instead of having the center keep all keys on the tree, the keys 
may be generated from a single key, say by applying a pseudo-random function, 
and the center will keep only this secret key. However, this idea does not seem to 
work, since when an update occurs, the center will have to change the secret key, 
requiring changing the entire tree, thus bringing the communication to linearly 

^ Alternatively, the secret key may stay the same, but some counter be changed for 
every update. However, this is only useful if we require threshold security (requiring 
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In the next subsection we reduce the center storage to Further reducing 
the center storage, or alternatively proving it impossible, remains an interesting 
open problem. 



3.4 Combined a-ary Tradeoff Scheme 

The basic tree shown in the previous paragraph may be naturally generalized 
from binary trees to a-ary trees. We combine this generalization with the minimal 
storage scheme to create our tradeoff scheme. There are two parameters of the 
construction (i) a - the degree of the tree internal nodes, and (ii) m - the size 
of user subsets to which the minimal storage scheme is applied. The parameters 
determine the number of keys given to every user and the communication costs 
for an update operation. Details follow. 

Divide the multicast group users to disjoint subsets of size m: Ui , . . . , Un/mi 
= M. The group center constructs an a-ary tree of height b = [log^jf^]] 
(i.e. the tree has at least n/m leaves). Assign subset Ui with the Ah leaf of the 
tree. As in the basic tree scheme, a random key is assigned with each tree node. 

For m = 1, Ui = {ui}, the scheme is a simple generalization of the basic tree 
scheme to a-ary trees. For m > 1, we combine the basic tree scheme and the 
minimal storage scheme as follows. Every user u G Ui is given the b keys assigned 
to the nodes on the path from the root to the ith leaf. The center holds all these 
keys, as well as secret keys for each leaf i (r^’s are not known to any user). 
Ti is used as the seed for the minimal storage scheme between the group center 
and C/j, namely is used for generating a unique private key for every u S Ui. 
Whenever a user u G Ui is removed, the keys on the path from the ith leaf to 
the root are changed. The center sends to every user in Ui \ {u} the new key for 
the ith leaf as in the minimal storage scheme, and then sends the ciphertexts 
necessary to update the path to the root as in the basic tree scheme. 

The security of this scheme follows from the security of the minimal storage 
scheme and the basic tree scheme (based on the security of the pseudorandom 
function) . The parameters of the scheme appear in Table El 





general m, a 


Example 1 


Example 2 


user storage 


log.(^) + 1 


0(log n) 


2 


center storage 


n a 

m a — 1 


o{^) 


+ 1 


communication 


m-l-b(a-l)log,,(^) 


0(log n) 


- 2 



Table 2. Parameters of the tradeoff scheme. Note that setting a = m = n gives 
the minimal storage scheme and setting m = 1, a = 2 gives the basic tree scheme. 
In Example I, a = 2, m = 0(log n), in Example 2, a = m = . 



storage which is linear in the size of the coalition). For the strong notion of security 
against arbitrary coalitions, this would again require linear storage from the center. 
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Denote the center storage by sec, the user storage by 6-1- 1 (i.e. 6 = logjj(^), 
or equivalently a = and the communication by c = c(n). The tradeoff 

scheme allows trading center storage and communication costs, subject to the 
restriction that communication costs are lower bounded as a function of user 
storage. Specifically: 

Theorem 1. There exist secure multicast encryption protocols such that 

1. sac ■ c = 0(n). 

2. c = 0{bn^). 

These bounds follow from the parameters of our scheme in Table 0 

Thus, our scheme is flexible enough to deal with a large range of applications, 
adjusting the parameters accordingly (see, for exampele, for a discussion 
and two very different benchmark scenarios). 

In particular, it follows that using our scheme the center storage may be 
reduced by a factor of log n with respect to the storage in mm- Further re- 
duction in the center storage is achieved by noticing that the center need not hold 
an explicit representation of keys, instead it can hold a shorter representation 
from which it is possible to compute the keys efficiently. Consider, for instance, 
the case where the group center holds a secret key r to a pseudo-random function 
fr : {0, 1}* — > {0, 1}^, and a counter ent which is initially set to zero. Set m > 2. 
When a user in Ui is removed, the center uses = fr{cnt), stores ent in the 
leaf corresponding to Ui and advances ent. All the nodes on the path from the 
fth leaf to the root store a pointer to leaf i. This way, the center may compute 
any key in the tree via one application of fr and 0(log(j applications of the 
pseudo random generator G. 

As an example, consider a group with a million users using DES (7-bytes 
keys). In the basic construction, the needed center memory is 2 • 10® • 7 = 
14Mbytes. Using our construction with a 4-bytes counter reduces the center 
memory to 2 • 10® • 4/20 = 400Kbytes, which is small enough to be put in a fast 
cache memory. 

4 Lower Bounds 

In this section we describe lower bounds on the amount of storage and the 
communication complexity per update (both measured in units of I bits, namely 
the key size), and the relation between the two. We begin by observing simple 
lower bounds on the user storage and the number of keys in the system. 

Lemma 2. For any secure multicast encryption protocol, WU C M 3k G K 
such that k G K{U) but \f v G M \ U, k ^ K{v) ( every subset of users has a key 
which does not belong to any other user outside the subset). 

Proof. Assume for contradiction that there exists a subset U C M such that 
y k G K{U), k G K{M\ U). That is, every key held by users in U is also held by 
some user in M\U. It follows that any multicast message which is understood by 
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someone in U is also understood by the coalition M\U. Consider the operation 
remove{M \ U) (whether done by removing the users one by one, or a more 
general removal of the whole subset). By the above, there is no way to provide 
U with a new session key that is not known to the coalition M\U, and thus this 
update operation cannot be performed securely, yielding a contradiction. □ 



Corollary 3. For any secure multicast encryption protocol, 

1. Every user u G M must hold at least two keys: a unique key known only 
to u and GC, and the session key kg. 

2. The total number of keys in the system is \K\ >n + l. 

We now turn to prove lower bounds regarding the tradeoff between com- 
munication and user storage. Consider any given secure multicast encryption 
protocol. Recall that n denotes the number of users in the multicast group M, 
and c(n) the denotes the maximal communication complexity required for re- 
keying following a deletion of a user from the group. We let b{n) + 1 denote the 
maximal number of keys, including the session key, held by any user in M (for 
convenience, we sometimes omit the argument n from the notation of b) . We will 
prove bounds on the relation between h(n) and c{n). 

We start with the special case of b(n) = 1, namely for a system where each 
user holds only one key in addition to the session key. This case will be used in 
the following general theorems. 

Lemma 4. If the maximal number of keys held by each user is b(n) -1-1 = 2, 
then the re-keying communication costs satisfy c(n) > n — 1. 

Proof. Since each user u holds at most two keys, by Corollary 0 these must be 
the session key kg and a unique key ku known only to u. When a user is removed, 
the other n — 1 users must be notified in order to establish the new session key. 
But since kg is known to the removed user it cannot be used, forcing the center 
to use the unique keys ku for each user who stays in the group, requiring one 
message per user, for a total of n — 1 messages. □ 

The minimal storage scheme presented in Section 1,4. II matches the above lower 
bound. 

Theorem 5. Let b(n) -I- 1 &e the maximal number of keys held by any user in 
M . Then, the re-keying communication costs satisfy c{n) > _ i. 

Proof. The proof is by induction on b. The base case, b(n) = 1, is proved in 
LemmaEl For b(n) > 1, denote by tfc the number of users holding key k. Denote 
by kmax a key other than the session key, such that t = is maximal. 

On one hand, consider the set of t users holding the key kmax- By the induc- 
tion hypothesis there exists a user holding kmax whose removal incurs re-keying 
communication costs at least — 1, even if only the t users holding kmax 
are considered. On the other hand, when removing any user, the communication 
must be c(n) > j, since each message is an encryption under some key k which 
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is understood by at most t users. It follows that the re- keying communication 
complexity is at least 

c(n) > max(ft^ — 1, j) > max(t^^, y) — 1 > — 1 

where the last inequality holds for any 1 < t < n. □ 

For constant b the above bound is tight (upto a constant factor), and agrees 
with the scheme in SectionO Otherwise, there is an 0{b) (and at most O(logn)) 
gap between the above lower bound and the upper bound in Section 0, 

In the following we consider a class of structure preserving re-keying proto- 
cols, defined below, that includes our protocol in Section 0 as well as the other 
known protocols. We show a tight lower bound (matching our upper bound) for 
this class, which is c(n) > bn^/^. For the special case 6(n) = 2 this bound holds 
even for protocols that are not structure preserving, and we find it useful to 
prove it in the following lemma. The proof follows the direction of the proof of 
Theorem 0 above with a more careful analysis. 

Lemma 6. If the maximal number of keys held by each user is b(n) -1-1 = 3, 
then the re-keying communication costs satisfy c(n) > 2^/n — 2. 

Proof. Each user u holds at most 3 keys, which by Corollary 0 must include the 
session key kg, a unique key fc„, and a possible additional key. As before, let t 
denote the number of users holding a key kmax other than the session key, which 
is held by the maximal number of users. Consider the operation of removing 
one of the users holding kmax- All other t — 1 users holding kmax can only 
receive messages encrypted by their unique key, since the other two keys they 
are holding, kmax and kg, were known to the removed user. This requires t — 1 
messages. Since these messages are sent using unique keys, they do not give any 
information to the n — t users not holding kmax, and thus additional messages 
should be sent to those users, requiring at least encryptions. Altogether, 

c(n) > t — 1 -\ — = t + — — 2 > 2y/n — 2 

where the last inequality holds for any 1 < t < n. □ 

An instance of tradeoff scheme (Example 2 in Table 0 matches the above lower 
bound. 

Definition 7. A protocol is structure preserving if VC/ C M and Vi;, v' G M 
{v yf v'), if there exists k G K such that \/u G U, k G K{u) but k ^ K{v), then 
after the operation remove(y') there exists k' G iV"®™ such thatWu gU\v' , k' G 
but k' ^ AT”®“(r;). 

Intuitively, structure preserving protocols are those that maintain the prop- 
erty of “the set U has advantage over the user v" across updates, for any subset 
U and user v. That is, if there is a set of users U all sharing a key k, and a user 
V which does not have this key, then after removing another user v' (whether 
v' GU or not), the users U still holds some key k' that v does not hold. 
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Theorem 8. For structure preserving protocols, the re-keying communication 
costs satisfy c(n) > — b, where 5+1 denotes the maximal number of keys 

held by any user in M. 

Proof. The proof is by induction on 5 (using a stronger induction hypothesis 
described below) . The base case 5=1 follows from Lemma S We have also 
proved the case 5 = 2 in the proof of Lemma El and in fact we use here the same 
idea as in the proof of Lemma El However, the difference is that for 5 = 2, the 
messages sent to the t — 1 users holding k^ax cannot be interpreted by anyone 
who does not hold kmax (since they are sent using unique keys), and thus they 
can be simply added to the messages sent to the users that do not hold kmax. 
In contrast, for 5 > 2, this is not necessarily true: some keys can be shared both 
by users holding kmax and users that do not hold kmax. Here we use the fact 
that the protocols is structure preserving and count the t — 1 messages needed 
to update kmax which cannot be interpreted by users that do not hold kmax. 
Details follow. 

We start by describing a process for selecting a user to be removed: we 
choose a maximal subset holding some key, then choose a maximal subset of 
this subset holding another key, and so on, going to smaller and smaller subset 
until we reach a single user. More formally, denote by k^J„, = kg (the session 
key), and = M (the entire multicast group). For i = 5, 5 — 1, . . . ,1 let 

^rnax ^ {^max ' ■ ' j ^>6 a key that is held by a maximal number of users. 

Let Umg^,j. be the set of users holding At the end of the process = {u} 
is a singleton, since is the unique key of a user u. Select to remove u. 

Lemma 9. When removing a user aecording to the selection process described 
above, the communication re-keying costs satisfy c(n) > t 2 + || + • • • + — 5, 

where U = (in particular, tb+i = n). 



We prove the claim by induction on 5. For 5 = 1 we simply need to prove 
c{n) > ^2 — 1 where t 2 = n, which follows from Lemma El For 5 > 2, let u be the 
user to be removed according to the selection process above. Consider the set 
Umax’ which is a maximal-size set of users holding a key yf kg. Since the 
protocol is structure preserving, after removing u there should be a key k' which 
is held by every user in Umax \ {“}i but not by any other user. Because of the 
way u was chosen, if \Um^„. \ {u}| = tf, — 1 > 1 then no such key k' unknown to 
u exists before the update, because otherwise the next maximal subset would be 
chosen as and u would not be selected. Therefore, the center 

needs to send messages to generate this key. By the induction hypothesis, this 
requires communication of at least ^2 + + • • • + ~ (^ ~ 1)? which cannot be 

interpreted by any user outside of Umax- Adding to it the communication costs 
for these outside users (in order to establish a new session key), sums up to 



c(n) > t 2 + -^ + 
t2 



tb 



tb-i 



(5-1) + 



n-tb 





as needed. 



tb 



Efficient Communication-Storage Tradeoffs for Multicast Encryption 



473 



The only cases which we did not handle are those where \ is small 

(empty or a singleton). If \ {u} = ^, by the maximality of each user 

holds only the session key and a unique key, and the bound of Lemma ^ can 
be applied. If it a singleton, any key other than the session key is held by at 
most two users, which implies that a message sent to the user in \{u} (in 

order to update the session key) is encrypted by the unique key and cannot be 
interpreted by other users, thus the same calculation as above holds. 

Thus, we have proved the claim. The theorem follows by observing that 

^ H ^ ^ 

t2 h 



which can be proven by induction on b. Thus, c(n) > — b, and the proof is 

complete. □ 
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